SAN FRANCISCO — Strong encryption is easy and available for all, security researcher Jessy Irwin told attendees at the RSA Conference here yesterday (March 3).
"Most people think, 'Security is really hard, and I want to learn more, but I have no idea where to start,'" Irwin said. "But that's not true."
You need to do only a few things to drastically improve your security posture, Irwin said: Use a password manager; fully encrypt your computers and smartphones; and use end-to-end-encrypted communication services.
"Pick a good password manager," Irwin said. "It doesn't matter which one, as long as it works well for you."
Irwin, who works for 1Password maker AgileBits, said that it's best to let the password manager generate passwords for you, rather than trying to come up with a strong password for every account yourself.
"If you're able to create a password in your head," she said, "then it can probably be cracked."
The next step is to use full-disk encryption on your computer and smartphone, Irwin said. Nothing on the storage drive will be readable without your password for that device.
For the past couple of years, full-disk encryption has been mandatory on iOS as soon as a screen-lock passcode is set up. It’s become so strong that even the FBI can't get past it.
Now full-disk encryption has become mandatory on Android as well, but only on devices running Android 6 Marshmallow that can handle processor-intensive tasks without drastically slowing down the system.
Full-disk encryption isn't mandatory on computers, Irwin noted, but the capabilities have existed for many years. Mac OS X has FileVault, which users can enable from the Preferences menu. Microsoft Windows offers BitLocker, but it's only available on the more expensive business configurations; users of "Home" editions of Windows will have to use third-party software. Irwin recommended the free TrueCrypt, although that software is no longer being developed or supported.
Then there's a wealth of encrypted communications software, Irwin said, including virtual-private-network (VPN) services, Web-security plugins, encrypted email providers, encrypted desktop instant-message clients and a huge number of secure mobile apps.
Irwin didn't have a preference among VPN services, but said it was well worth paying a small yearly subscription fee to gain security on otherwise insecure open Wi-Fi networks.
"If you're crazy like I am and go to DEF CON," a famous yearly hacker convention, Irwin said, "that's a hostile environment where VPNs help."
For encrypted email, Irwin recommended the free ProtonMail, which is also available for iOS and Android. But, she noted, to make proper use of it, your friends need to use ProtonMail too.
She also recommended using the free HTTPS Everywhere browser plugin, available for Google Chrome, Mozilla Firefox and Opera, which makes sure Web connections are encrypted whenever possible.
Open-source desktop IM clients such as Pidgin or Adium that incorporate the Off the Record (OTR) encrypted instant-message protocol have been around for years. But more recently, Irwin noted, secure mobile-communications services such as the free Wickr have begun to offer desktop versions that integrate seamlessly with the mobile apps.
"The fun thing about this application is self-destructing images that actually go away, unlike Snapchat," Irwin said.
Another top-rated free secure mobile communications app is Signal, available for iOS and Android. It also encrypts voice communications, and it will soon come to the desktop, according to Irwin.
"It's very easy to use," Irwin said. "It looks exactly like iMessage in a lot of ways."
Both Signal and Wickr offer end-to-end encryption, which means messages cannot be read by any other party. To make sure your choice of messaging app offers end-to-end encryption, Irwin said users can check the Electronic Frontier Foundation's secure-messaging scorecard to make sure that messages are both encrypted in transit and encrypted so that the service provider can't read them.
All of these services and apps will encrypt messages, but few will disguise your identity. For that, there's the anonymizing service Tor, which conceals the origins of Web traffic using browser plugins and other software. It's not as simple to set up as other services Irwin mentioned, but it's gotten easier to use.
"I know kids who use Tor in school," she added. "They connect to their Kik networks and hang out while in class."
Irwin concluded her talk with a quick checklist of security steps for each member of her audience to take over the next few months.
"Next week you should improve your password security habits and get into the habit of updating your software," she said. "Next month, set up full-disk encryption on your devices, use an end-to-end encrypted app with a colleague or partner, and use a VPN when connected to unsecured Wi-Fi."
"In the next three months, you should encourage others to encrypt private or sensitive information," Irwin added. "Try sending an encrypted email — just once!"