I won’t buy your product if it implements “military grade security”.

When looking at commercial or consumer products how often do you seen the phrase “military grade security”, very often as the only nod to the security of the product?

The phase tells me two things.

  1. You do not understand security;
  2. You do not understand military grade security.

So I won’t buy your product.


By saying “military grade security” you probably mean you have implemented an algorithm such as AES.   This is not knocking AES, it’s a great algorithm, designed to protect routine confidential information.   Yes, it may be used by the military to protect routine stuff, but it is not used for anything they consider particularly sensitive – in today’s climate they will, also certainly be using high-grade, quantum safe algorithms.

Algorithms such as AES are perfectly suitable for commercial grade products – but I don’t care.   Rarely do security attackers break the encryption.   They break the passwords or keys used by the encryption – it’s much easier to do!  Alternatively they find a weakness in the software to gain access to the unencrypted data.

So please don’t tell me you use military grade encryption.   Instead, please tell me how you protect the keys used, and the quality controls mechanisms you use to verify the software.