| > the “thing you know” could also be at risk. I realize this the older I get. Years ago, when I was in university, I had a couple of machines in my room running FreeBSD with full-disk encryption. These machines were powered on for a few months without reboots until one day when the power went out. Having not typed in the password in months, and at the time using the kind of passwords consisting of long word with a lot of numeric and symbolic substitutions, I was unable to decrypt the disks of my machines. I lost a fair bit of data that day, but it taught me a valuable lesson. These days, any passwords that I use for full disk encryption I make sure to 1. Regularly use. Meaning I’ll reboot machines and retype the passwords on a regular basis. Likewise, I connect external encrypted disks on a regular basis and decrypt them with their passwords. 2. Use pass phrases with many words but without any numbers or special characters. See also https://github.com/ctsrc/Pgen (For websites etc I use a password manager.) |
And one of the biggest risks with encryption is data loss if passphrase are forgotten - using encryption usually involves considering that data loss is better than data exposure - which is obviously true for things like passwords (you'd rather forget your bank's password than have it exposed, because you can reset it) but not necessarily true for other data.
This can lead to things like encrypted systems but storing the off-site backups unencrypted because they're off-line and the only real risk is theft. Again, depends on what the data is.