Gutmann, a developer, author, speaker and honorary researcher at Auckland University’s computer science department, realises that the password advice might seem to fly in the face of reason.
“Think about it. If you’ve written down your complicated password on a piece of paper someone would have to break into your house to get it to then break into your online account. That’s not likely when the crooks are sitting in Eastern Europe.”
Conversely, he says having one user name and password for all accounts is perhaps the worst thing a user can do.
“That way if one account is compromised then effectively all of them could be.”
Gutmann is world-renowned for his work on security architecture and is in demand on the IT security speaking circuit. His PhD thesis has been released as an academic text book (Cryptographic security architecture: design and verification) and he has at least two more in the pipeline.
“That one’s very much an academic book. The next one is more straightforward and is more about my take on different security issues.”
Gutmann’s role at Auckland University doesn’t pay anything but it allows him to do what he likes. His income is derived from one of those products nobody’s ever heard of but which many of us use — Cryptlib.
Cryptlib is in embedded products such as ATM machines and print servers, for authenticating user rights to a particular printer.
“It’s widely used but invisible. Basically it’s a general purpose tool used inside applications so most people don’t even know it’s there.”
Gutmann says this is the best approach to issues like email encryption — make it happen automatically.
“PGP has been around for over a decade and has a tiny market share still.”
Cryptlib, by comparison, is marketed by health software developer Orion Systems.
“There are plenty of cool people using it but if I tell you who they are they’ll kill me,” says Gutmann, only half joking.
Gutmann didn’t set out to be a cryptographer.
“I was working in data compression but you really can’t make much of a difference there. I sort of drifted into cryptography.” Gutmann says his approach isn’t one of maths-intensive algorithms.
“There’s very little maths involved. Basically that part of it’s secure these days. It costs too much in terms of time and effort to break the code to make it worthwhile. I work on the stuff around that to make sure that’s defensible.”
Gutmann offers the example of public keys. “What’s the point of securing your system with the most up-to-date encryption technology if you email someone your key in an insecure manner?”
Gutmann likes to quote cryptographer Bruce Schneier on the subject.
“Basically he says it’s like putting a large iron stake in the ground in your front garden and hoping the burglar will run into it. It’s the rest of the garden that matters as well.”
So Gutmann isn’t worried that if he’s too good at his job he’ll do himself out of a career.
“As long as there are computers we’ll need security people.”