How much can Digital Cryptography do?
My friend, Dennis, sent me an article about a Cloud-Security dependent business that was driven out of business by a hacker. Great article. The last paragraph interests me most, as it proposes the usual and customary over reliance on digital cryptography.
This statement may seem harsh to many. Digital cryptography is tricky business. Recasting poor password creation and maintenance processes into digital certificates solves nothing. For example, those who don't change passwords quickly enough are least likely to patch their cryptography software quickly enough. Those who don't periodically pitch passwords on the pretense that these are compromised and likely over distributed are likely to create digital certificates with long lifespans and then distribute subordinate CA certificates too widely. How much is too much? The wrong digital cryptographers will never go through this analysis.
And when the government has seeded cryptography with deterministic PRNG technology? Priceless back dooring. But these cryptographic implementors are not paying attention to this event.
No, Digital Cryptography, done well, can help us overcome the growing severe problems with password over dependency. But that only starts when we, consumers of the stuff, demand more from those who drive us to these solutions, too often as a feel-good, knee-jerk reaction. If your risk analysis doesn't consider vulnerabilities in today's cryptographic environment, that's a true sign of bigger failures to come.