Helping people with computers... one answer at a time.

Encrypted attachments in email can increase the level of security for sensitive communications, but only if done right.

I liked your article on secure email last week, but I think really secure email is too complex for most folks. In the family, we increase security by sending messages as password-protected Word documents. In the actual email, we can easily hint the password like your first pet's name and of course, these Word documents can broken with a proprietary computer program, but for daily use they're sufficient and simple. What do you think?

In this excerpt from Answercast #78, I look at ways to secure sensitive email by sending encrypted attachments.

Encrypted attachments in email

What I think is that for daily use most people don't need encryption at all. Most of what we talk about via email, to be honest, isn't that sensitive, isn't that interesting.

If you find yourself in a situation where you really do need to send something securely (because for whatever reason if it were discovered by somebody, if it were intercepted by somebody at any time, there would be some consequences) then yea - encryption makes sense.

Password protecting Word documents

I'm not a huge fan of password protected Word documents. Partially because, I guess, I don't trust them.

In the past, as you've pointed out, there are definitely programs available that can crack a Word document that's been password protected without too much trouble.

Your first pet's name, for example, is a problematic choice because it's typically going to be something short - unless you have a pet's name that is like 12, 14, 20 characters long. Even a brute force attack, where every possible password is tried against the Word document, can succeed in a reasonable amount of time (if of course it's worth it for the attacker.)

So, I'm not really a big of fan of Word documents. But if you do use Word documents, do make sure you're using a sufficiently strong password to lock it.

Encrypting for email

What I actually suggest in general for encryption is software that is specifically designed for encryption.

What I usually end up recommending for individual files (if you've got a single filee that you are attempting to send to somebody in an encrypted form) is I would use either AxCrypt which will literally just encrypt a file. Or use a utility like 7Zip, or WinZip, or any of the Zip alternatives; and make sure to specify a password when you create the zip file.

Of course, you can include multiple files at that point, but the idea is it may be a tool you already have - and it does have fairly robust encryption in it these days.

Long passwords

Once again, it all goes back to picking a secure password.

I strongly suggest you actually think of it as a "pass phrase" so it's multiple words long, to make sure that things are secure.

When we get into places like a true business environment, or a government environment, where there is highly confidential information going on, things that have significant consequences, that's when I start thinking about even higher levels of encryption or more complex systems.

Email encryption is difficult

Now, I agree with you completely. Email encryption for the average user is fundamentally broken; it's just too hard to do and too hard to do right.

So, in general, the right solution is pretty much what you've described - take a document; write what you want in that document; encrypt that document and then send that document as an attachment.

That's secure. That's probably the most practical secure mechanism that you might want to use at a personal level - as long as you're using an appropriately secure tool to encrypt the document - and most important of all, you're using an appropriately secure password to lock that document down.

But like I said, for day to day use, I don't use encryption. In fact, I can probably count on the fingers of one hand the number of times I've bothered to encrypt any email in maybe the last ten years. It's just not something that comes up that often.

I understand that many people are in situations, sensitive situations, where that's not an option. They really do need to secure what is they send, and who it is they send it to. But like I said, sending an encrypted attachment is typically the most practical approach.

(Transcript lightly edited for readability.)

Article C6131 - December 13, 2012 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.