Hey Guv,

Just so you know, from what I’ve read (somebody please help me with the source–one of you must know) if you upgrade to WinZip 9.0 or above it comes with PGP encryption. If you then choose a password with 10 or more characters, you’ll probably be okay in regards to common criminals or the curious who come across your disc or file. Zip your files, communicate the password over the phone, send the disc by a trustworthy courier (or electronically), and this will work in the interim until you sort out something for the longer term. Oh–and don’t send more data than you need to.

Update: Ian Brown Says:
December 6th, 2007 at 9:59 am e
No. WinZip 9.0 contains AES (the recent US govt-approved Advanced Encryption Standard) which is secure *if* a password of adequate strength is used. A 10-character password does not qualify and could be guessed trivially by password cracking software. Key management is much harder than just using an appropriate cipher.

Tom Fuller Says:
December 6th, 2007 at 10:35 am e
Hi Ian,

Thanks for this.

How many characters should the password contain, and what proportion should be non-alphabetic–do you happen to know? I think that a lot of mid-level government staff would be able to use this information.

In related news,

“The Information Commissioner, Richard Thomas, said that a number of public bodies and private companies had contacted him over the fortnight since the HMRC incident was revealed to confess that they too had lost data.”

“Hundreds of people in police witness protection programmes have been put at risk by the loss of millions of child benefit records, The Daily Telegraph can reveal.”

Expect to see a lot more of this: “Now imagine that a company that you knew had just lost the details of 25 million of its customers, including some who are at risk of violence because of something they’d done for you in the past, was setting up a scheme to bring all of your biometric details together – every valuable confidential piece of information that identifies you as you – and was going to charge you £100 to join.

Want to sign up? No, me neither.

The National Identity Register is just that, a Government database to be used as the final authority for confirming identity. It will be shared with other Government agencies and even though it’s specifically prevented from holding some information (tax and medical records, for example), we’ve never had an electronic register of every British person before.”

When it comes to data warehousing, it’s becoming painfully evident that bigger is not always better.