Personal Information, Encryption, and the Relocation Process

Jan 22, 2020

Personal Information, Encryption, and the Relocation Process

To start, a reminder that Japan Info Swap is a part of The H&R Group, which provides a wide range of real estate, relocation, staffing, and life-enrichment service in Japan. This blog was created to help communicate the information, knowledge, and expert advice of the H&R Group family of companies to their clients.

The relocation process requires varying degrees of personal information, from immigration documents to housing contracts or driver’s licenses, so we have a lot on hand during our client’s relocation process, and our clients provided all of it to us, usually by email.

As a result, we are understandably a bit paranoid about how this information is sent, stored, and eventually deleted.  We can do a lot on our end. Still, we would feel a whole lot better if we could start on our client’s end instead and accomplish our work with full end-to-end encryption of the personal information essential to completing the services initiated to us by our clients.

What is Encryption? 

Encryption changes information in such a way as to make it unreadable without a “key” that allows the information to be put back into its original, readable form.  Encryption allows us to securely protect data and ensure that only authorized parties will have access to it.

We strongly recommend that our clients take the initiative and learn how to encrypt documents before sending them.  It is easier than one might think, and it is our sincere hope that ancillary to their relocation our clients learn better personal data security habits that will protect them long after they have returned from Japan and forgotten about us.

Encryption Sounds Hard… 

You might think so, but it is pretty simple to do. The hardest part is securely communicating the password; more on that later.  To begin with, encrypting data is easily done using a “document open password,” which requires a user to type a password to open the document. We recommend three options that are probably installed on your computer, at least your office computer, already.

1. Microsoft Word, Excel
2. Adobe Acrobat (not reader)
3. 7-Zip

*Please not that “Microsoft passwords are not effective” is a common refrain, and true, if you are referring to edit or print passwords, which are notorious, but a “document open password” is different, and a powerful tool if used correctly with a strong password…more on that later. 

Rather than explaining how to add a document open password in each platform, we will link to the explanations that these companies (or other entities) already offer for these software product’s encryption components.  In short all you need is find the right pull-down or other menu item and enter a password, and that isn’t much of an oversimplification.

Microsoft Encryption

Office 2016 and 2013 provide for AES-256 encryption, which is very secure if a strong password is used. To encrypt a document using Microsoft Word or Excel, follow the instructions below.

• Word 2016 / 2013      https://support.office.com/en-us/article/Password-protect-a-doc…
• Excel 2016 / 2013      https://support.office.com/en-us/article/Protect-an-Excel-file…
• Office 2010 (AES- 128)     https://support.office.com/en-us/article/Add-or-remove-protection…

Adobe Encryption

Adobe Acrobat Professional offers unbreakable 256 encryption from version 10 (X), which is very secure if a strong password is used. To encrypt a document using Adobe Acrobat Professional, follow the instructions below.

• https://helpx.adobe.com/acrobat/using/securing-pdfs…

7-Zip Encryption

7-Zip is a free and open-source file archiver, a utility used to place groups of files within compressed containers known as “archives.”  You may be familiar with “WinZip,” which is similar and also offers an encryption option.  If sending multiple documents, adding them all to a password protected and encrypted “archive” file is the most convenient way of sending them securely.

7-Zip is available for download, for free, here, www.7-zip.org

• www.medicalnerds.com/how-to-encrypt-zip-files…

Passwords

“Cracking” AES-256 encryption is currently impossible…for now, ( though who knows what the NSA or China can do that they are not telling us about…).  Cracking the older AES-128 encryption is possible but would cost a lot of money, and likely only a government or large (and exceptionally well funded) criminal organization would attempt it.  And why would they?  There is a far more straightforward way to get that data most of the time.

Cracking an encrypted file or online account’s weak PASSWORD is far easier than most people understand by “brute force” or “dictionary” attacking the password. Without exaggeration, if the password is not strong enough, an exceptionally bright child could crack it with software downloaded from the internet.

No amount of encryption will protect a file or account unless a strong password is used

How long do you think these passwords will last against a supercomputer running brute force password cracking software against them??

bob
less than 1 second

bobb35
less than 1 second

B0b35tel!
about 4 weeks

^0@^@7KLk7W1Ud6
16 BILLION YEARS

bobcat jerky heart dollar (a “mnemonic” password)
8 SEPTILLION YEARS

Granted, a supercomputer is hard to come by and expensive, but any computer will do it, if more slowly. You can test your password ideas with this site.  Please note that you should probably not test your ACTUAL passwords…anywhere.

Password Best Practices

1. Do not write down your passwords and ESPECIALLY don’t put them on post-it notes on the computer… I am looking at you here mom!
2. Do use a “password manager.”  We recommend “Lastpass” because you could actually share passwords directly with us through that system…which simplifies the process of communicating it to us securely; more on that later!
3. Do use the password manager’s “generate random password” feature to create complex passwords of significant length, at least 11 characters, but 25 would be better.  Advances in computing tech mean that we must add one character per year to keep up with the bad folks ability to break them.  Currently, that # is 11, but if you use a password manager, you wont have to remember your passwords anyway, so… I use the maximum amount of characters whatever I am encrypting will accept.
4. Do not use dictionary words, generally.
5. Do use dictionary words unless they are combined to create a “mnemonic password.”
   1. used in bulk (dog aircraft coin payphone citadel)
   2. random (not: dog cat canary zebra monkey)

Communicating the Password

One mistake that many people and companies make is to go through all the trouble of making an encrypted file and using a strong password, only to send the password AND the file through the same email account. Sometimes they will take the extra step of sending the password in a separate email, but neither is a good idea.

If someone has access to the email account, for example, it gets hacked or an internet company has a rogue employee, they can just open both emails.  At best, this protects against accidental forwarding, which is helpful, I suppose.  Otherwise, both emails are probably sitting in at least one sent items folder, an inbox, even the deleted items folder, waiting to be discovered, for longer than we are comfortable with.

A better practice is sending the password via a separate channel, for example, SMS, Linkedin, Skype, or a phone call. It’s an extra step and honestly inconvenient, but it offers a MUCH higher level of security, and we think it is worth the effort to protect our clients.

As mentioned earlier, our staff use Lastpass, and you can share a password directly to them from within that system as well.  That keeps things very simple, but is still safe!

More Reading and Resources

howsecureismypassword.net

www.digitaltrends.com/computing/can-email-ever-be-secure

www.xkcd.com/936

www.lastpass.com