News Stay informed about the latest enterprise technology news and product updates.

How much encryption is too much?

Many security companies try to thwart competitors by including stronger encryption in their products. But is this a battle worth fighting? Brien Posey offers his take on encryption-strength wars and explains how to ultimately achieve adequate encryption in Windows systems.

An encryption-strength battle is waging in the security market today. Companies are trying to thwart competitors by including stronger encryption in their products. But when is enough enough?

Adequate encryption is often defined as encryption that is strong enough to make brute-force cracks against Windows passwords impractical because they would take too long to complete. However, Moore's Law indicates that available computing power doubles every 18 months. So what is considered adequate encryption today probably won't be sufficient a few years from now simply because faster computers will be available, and encryption will be deciphered more quickly.

I'm not going to become a victim of Moore's Law, dear Readers, and make a statement like "128-bit encryption is strong enough." Many years ago, Bill Gates stated that 640 KB of memory should be enough for anyone. The statement was fine in its day. By today's standards it is ridiculous.

Since I am not going to make a definitive statement about what I consider to be sufficient encryption, let me tell you a little story instead that explains my feelings on the subject.

A few years ago, I was preparing to write a product review comparing various antivirus products. To help me with the evaluation, a friend gave me a CD filled with viruses that I could use to test each product. Obviously that's not the sort of CD you want to accidentally put in your computer, so my friend placed all of the files in an encrypted archive as a safeguard against accidental infection.

Anyone with a little bit of knowledge and enough CPUs can crack a strong encryption key in a reasonable amount of time.
Brien Posey contributor

I recently needed the CD again to assist me in writing a different article, but now I couldn't remember the password to open the archive. I attempted a brute-force crack against the archive, but the cracking software told me the encryption was so strong it could take up to five years to break the password. My article was due in three days -- and I didn't think my editors would appreciate a five-year wait, so I made copies of the CD and ran the cracking software simultaneously on 25 different Windows computers. I specified a different start and end point on each machine so no two machines would have overlapping efforts.

It took me longer to set up those machines than it did to crack the password. Once everything was up and running, I cracked the password in less than two hours -- even though the archive was using strong encryption.

I can always rely on that story to support my belief that strong encryption has its place, but strong encryption alone is an inadequate defense. Anyone with a little bit of knowledge and enough CPUs can crack a strong encryption key in a reasonable amount of time.

Encryption is also ineffective on its own because encryption and decryption processes consume a lot of CPU time. The more highly encrypted your data is, the more data access becomes CPU-intensive, which makes it harder for you to access your data. You can obtain network cards that offload the decryption process from your Windows system's CPU, but those cards are only designed to perform specific types of decryption (i.e., IPsec packet decryption). If you are encrypting the data itself, or using a proprietary means to encrypt a protocol responsible for transporting data, then you will have to rely on old-fashioned, CPU-based decryption.

To truly be effective, strong encryption must be combined with other security techniques. One of the best encryption practices involves changing the encryption key frequently. This technique may not work for file encryption, but it's great for transmitting data securely. The idea is that every packet is encrypted by a different key. If someone manages to determine one of the keys, it won't do them any good because the key expires immediately after the packet is sent.

About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer he has written for Microsoft, CNET, ZDNet, TechTarget, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at Brien M. Posey is a regular contributor on

More Information from

  • Tip: If you haven't done so already, find out why you need to deploy IPsec policies on your network
  • Tip: If you're ready to implement IPsec policies, get best practices before you start
  • Topics: Research Windows Server 2003 encryption techniques and tools

  • Dig Deeper on Windows 10 security and management

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.