May 15, 2016 at 00:57 #3073
I am already registered with Axcrypt.
After I installed the latest Axcrypt, free version 2.1.1390.0 64bit, and tried to open my existing Axcrypt files, a message came up saying I have to log in the first time I use Axcrypt.
After I put my email address in, it asks for a password.
I can’t remember if I created a password when I registered, and my encryption password I use to open files doesn’t work.
But why do I need to do this when I’ve been using Axcrypt for many years? It’s not the first time I’ve used Axcrypt. I’ve been forced to uninstall the latest Axcrypt and go back to an earlier version to open my files.
Can you please help me on this problem.
Bernie :-(May 15, 2016 at 09:20 #3074
Sorry for the inconvenience! We’re still fine-tuning the on-boarding process for existing users.
If you have an old account but have forgotten the password, use the “Forgot your password?” link at the lower right on https://account.axcrypt.net/ to reset your password.
Once reset, you can use that to sign in to AxCrypt 2.
We now realize that many old-time AxCrypt users registered with us a long time ago, but since the account has been dormant since then the password is blissfully forgotten.
We’re developing AxCrypt with many new capabilities, and even old-time AxCrypt users will benefit, but it may be a trifle confusing at first.
With both old AxCrypt 1.x and the new AxCrypt 2.x all encryption is done locally, and when all is said and done it’s encrypted with your password, although there are a few layers of indirection involved.
The difference now is that we’re adding extended features with server extensions for other operations, most notably the capability for others to share encrypted data with you (and vice versa), by what we call “key sharing”. There are other features as well, and we’ll be bringing even more to you in the coming months including support for Mac, iOS and Android.
We’re also moving from an advertising revenue-model which has caused some annoyance (and to be honest not sufficient revenue to develop the software as I’d like). Therefore, AxCrypt 2.x has a Free mode more or less equivalent to the old AxCrypt 1.x and a for-pay Premium mode with stronger encryption, key sharing, password mananger and direct support and more to come.
All this requires that users register and prove their credentials to us – i.e. sign in!
We do not store your password on the server. You do not need Internet access to encrypt or decrypt files.
Since we anyway have the sign in, we’re also using that for AxCrypt File Encryption because we don’t want you to have to use more passwords than absolutely necessary. It also opens up some more interesting capapbilites, such as simple password change to all files you ever encrypted.
Therefore, as an old AxCrypt 1.x user, you’ll first have to register, sign in and then convert your old files to the new format to fully benefit.
We’re in the process of improving the conversion process for old users, but for now, decrypt your existing files using your old password, and then encrypt them again with AxCrypt 2. After that, all you’ll need is your new password to AxCrypt 2. The same one for files and for server based services. This is *not* a non-recommended re-use of a password, we’re still a single instance even if we work in two dimensions, locally and server based. Re-use happens if the password you use for AxCrypt is used at a different service, or vice versa.
Yes, the on-boarding and conversion can be experienced as annoying at first! I’m working very hard at making this process much less so!
SvanteMay 16, 2016 at 02:58 #3077
Thanks for the post Svante. Unfortunately I’m totally confused.
I only use Axcrypt on my PC and do not share any information with other person’s computers.
I have never used Key-file, and don’t even know what it is.
When I try to open existing files with the new Axcrypt, it asks for my email and log-in user name.
I have then been able to open existing files using my existing password.
However, I can’t find any option to clear password, so the file I’ve just opened stays open and unprotected.May 17, 2016 at 08:16 #3102
Even if you only use AxCrypt for your personal use and never share anything with anyone, those features that allow you to do so should not be in the way.
Key files are only supported for backward compatibility with AxCrypt 1.x, and will not be used or mentioned once you have converted to AxCrypt 2. Not sure why you mention them…
There is an update to AxCrypt 2 available that makes it easier to migrate from the old to the new. Please try it out!
In AxCrypt 2, the “clear passphrase” function is called “Sign Out”, and is available under the File menu. Also, AxCrypt 2 will automatically sign out if the screen saver becomes active, you log out of your Windows session, the computer goes to sleep or is shut down.
The point here is that you should never walk away from your computer without at least a password protected screen saver being active.
SvanteMay 29, 2016 at 05:08 #3267
Have been able to use all functions. However, I still have a problem.
I sign in using my email address and password. And then open a file using my encryption password.
After I’ve finished with the open file, I clear the encryption password by signing out.
However, next time I want to open a file, I have to log in again using my email address and password. I thought that you only had log in once for the initial use.
Is this a glitch, or am I doing something wrong?May 29, 2016 at 12:25 #3268
This is probably a stupid question, but … if passwords are not stored on your server, how are we able to sign in to your website by entering our password?
Thanks.May 30, 2016 at 11:58 #3277
No, it’s not a stupid question… But the answer is important. So where we go.
In the good old days (and scarily enough even today in way too many cases), log in to sites was done by storing your password as you type it, typically in a column in a database or a in key-value text file.
Then as it was realized this was a bad idea, a hash of the password was stored instead. This is still the most common form. The idea is that it’s computationally impossible to reverse a hash, so you can verify a password, but not figure out what it is from the data stored on the server.
Then, as computers got faster and memory larger, people figured out they could precompute huge tables with potential passwords and hashes, and then do a quick reverse look-up. This was about 40 years ago, in the early 1970’s and the good people at AT&T developing Unix incorporated the idea of a salt, a non-secret random quantity added to the hasing process along with the password, making pre-computing more or less infeasible. What’s really scary is that this basic technique is over 40 years old, and still probably over half of the systems today including newly developed (for example Linked In up until 2012) still don’t use this elementary technique!
All of the above store the password or a direct computation from the password on the server.
What AxCrypt does is subtly different. Here’s the thing: What is AxCrypt made for? It’s made so that if an attacker gains access to an encrypted file, the only recourse is brute force (trying each and every possible password) and that is actively made more difficult by an iterative process.
What we *do* store on the server, are one (possibly a few) encrypted files, one AxCrypt-encrypted file and one XML-encrypted file (for historical reasons, we’ll migrate to AxCrypt for that as well). These encrypted files contain the secret part of a RSA key-pair, which is the technique we use to implement key sharing (sharing of encrypted files among users, who use their own passwords) and optionally passwords stored using the password manager.
So, while we do not store your password on the server, we do store data encrypted with your password. In one sense this is similar to storing password hashes, but in another important aspect it is very different.
Our assumption when describing the security model of AxCrypt is that an attacker has access to your files, our specifications and our code. I.e. – nothing is secret except the password.
Thus, assuming an attacker would gain access to the server and export a file encrypted with your password, nothing has changed. We already assume that an attacker has that access, since that’s what AxCrypt is made for – to protect your files if they are exposed.
Now, there is one twist to this. We do send the password to the server and let the server decrypt the file if necessary. This is not strictly speaking necessary, we could pass the encrypted data to the client and do all cryptographic stuff on the client. However, our thought is that we gain a lot of usability and flexibility for the users by doing it this way, at a very low expense security-wise. Our users already entrust us with their data via our code on their clients (where we have little control over the environment), so we think it’s a reasonable compromise to allow our servers (where we have very strict control over the environment) the same access. The ‘weak’ link in this case is the transport over SSL. Here’s the thing with AxCrypt and me – we’re not conspiracy theorists. We actually believe SSL works, and Snowden appears to agree with us. Strong encryption works. That’s why the agencies have had to cheat so much!
Right now we’ve made the call to prioritize usability over a formal zero-knowledge model. I’m not really a big fan of the zero-model knowledge model when applied to situations like this, since it essentially assumes the user is absolutely trustworthy, which (s)he is not! It’s theoretical model, that works differently in practice.
This decision may change in the future, we’ve not built anything that absolutely requires the password to be made available to the server at all, but right now, yes it is during the sign in process and when working online via the website or the REST API. But we don’t store the password or a hash. We do store one or more encrypted files.May 30, 2016 at 12:00 #3278
Update to the most recent version of AxCrypt and enable automatic conversion of old AxCrypt 1.x files. This will convert them to the new format and AxCrypt ID sign in password as you go along, and make the use much more convenient.
SvanteMay 30, 2016 at 18:43 #3286
Thanks for that very helpful and detailed reply.
So, when I try to log in to your site, I’m granted access if my password successfully decrypts a file(s) on your server? That is ingenious! The “weak spot” would be the brief window when the password is transmitted to the server. I agree this should be acceptable for most of us.
Thanks again. I’ve learned a good deal about encryption in the past week or so!May 30, 2016 at 18:48 #3288
Yes, that’s the gist of it. We’ll be publishing detailed specifications about exactly what we do, both in laymen terms as well as with technical details. We’ll also be publishing documentation about the file format we use, and how we apply the cryptographic primitives, as well as how to call our public REST API (which is what AxCrypt does for it’s online extensions).
For now, though, I’ll try to answer questions such as yours well as I can (and then I’ll re-use some of the text when I publish it more formally).
I feel that we have a reasonable compromise between theoretical security and practical usability. Of course, not all will agree, but we’ll be very upfront with exactly what we do and why.
SvanteJune 4, 2016 at 03:11 #3386
I have the same problem ,I think ? I have files which have been encrypted a few years back (2013 last modified) and I have tried to open these files tonight but I have to enter a email address and my password !
Okay I know my email address and I know my password …But I cannot gain access as it states that my password is invalid!
I have searched my emails and have found 3 emails from you many years ago .
I note that new passwords need to be 10 characters long , and my old password was shorter !
Your help would be much appreciated
ThanksJune 5, 2016 at 12:21 #3389
Apologies. We really need to continue working on the onboarding process for existing users. We thought it was so simple, and we beta tested for almost 6 months. We’ll improve and clarify the process, I promise! So sorry for the confusion.
In the meantime, here’s how it works:
AxCrypt 1 – Each and every file was encrypted entirely independently. AxCrypt 1 did have the option to ‘remember this password for encryption’, so while it was active you did not have to retype it every time you encrypted a new file.
AxCrypt 2 – Each and every file is still actually encrypted entirely independently with a password. But… We made the ‘remember this password for encryption’ feature mandatory, and associated each AxCrypt session with an e-mail and an online account, which happens to be the same as was used for update notifications for AxCrypt 1.
So, the typically confusing situation is that an existing AxCrypt 1 user upgrades to AxCrypt 2, and is asked for an e-mail, and if the e-mail was used to register the old AxCrypt, asked for the password to that account.
Now, it appears, most people do not remember the password used to register AxCrypt 1 a couple of years ago… ;-) And a lot of users think that the password requested is the “AxCrypt” password used to encrypt their files. This is confusing of course. We realize that now.
Here’s what you should do (until we improve this in the actual sign in/sign up) if you’re not asked to create a new AxCrypt ID, but just prompted for a password after entering the e-mail and your AxCrypt 1 file-password does not work:
1. Go to http://www.axcrypt.net, click the “sign in” menu, and on that page select the “Forgot password” link in the lower right.
2. Follow the instructions to reset the account (AxCrypt ID) password.
3. Set a good and strong password on the account (AxCrypt ID). This *can* but does not *need* to be the same as the old password you used for your files. It might be time to upgrade that password to something better anyway.
4. Ensure you have the latest (2.1.1398 or later) version of AxCrypt installed.
5. Start AxCrypt 2 and sign in with your new password.
6. Open your old AxCrypt 1-files. You’ll probably be prompted (again) for a password. This time it *is* your old AxCrypt 1-password!
7. If you followed step 4, you’ll be prompted to enable auto-conversion of your old files. This will cause them to be re-encrypted with AxCrypt 2, using your new AxCrypt ID-password as you open and use them.
Why did we do these changes?
Mostly because it happened every now and then that users encrypted new files but mistyped the password, and subsequently were unable to access them when they did type it correctly.
The new procedure (once you get past the conversion from 1 to 2 hurdle) is much less typing-error prone.
There are many other reasons as well, but this is one of the major ones.June 16, 2016 at 13:47 #3489
As a very long-time Axcrypt user, I’m pleased that I found this thread. I do actually have my original password.
I think I understand the way this now works i.e. every file or folder that is encrypted is encrypted with my Axcrypt email/password, which is somehow strengthened via your server.
I have two questions.
Firstly, how will this function if your server(s) is down, or for some reason I have no internet access for extended periods (it happens a good bit in the UK)?
Secondly, if I change my Axcrypt logon password, which I might expect to do quite regularly, what happens to anything previously encrypted with my old password?June 16, 2016 at 14:02 #3490
If you have old files encrypted with an old version of AxCrypt and the password is different from the password used to sign in to AxCrypt 2, the following happens:
1 – You sign in with the password you signed up for AxCrypt 2 with.
2 – You attempt to open an ‘old’ file. AxCrypt tries to use the sign in password, but discovers it doesn’t work.
3 – AxCrypt pops a new password dialog, asking for the password for this specific file. This is where you enter your old original password.
4 – AxCrypt succeeds in decrypting the file, and asks if you’d like to Auto Convert the file. We recommend you click yes.
5 – Assuming you clicked ‘yes’ in step 4, AxCrypt now takes the decrypted file and re-encrypts it with the AxCrypt 2 encryption, and the sign in password instead of the old file password.
So, from this point forward, you have effectively changed the password for the file. You no longer need the old password for that particular file.
There is no strengthening or any actual interaction with the server during encryption. The server connection is only used to update licensing information and synchronize some ‘behind the scenes’ internal keys, check for new versions etc. All encryption and decryption is done locally.
There is no need to have an Internet connection to use AxCrypt. It’s only required when AxCrypt is registred on a device, i.e. when you run it the first time on a computer. Not thereafter.
If you change your AxCrypt ID Account Sign In password, all files that have been encrypted while signed in to AxCrypt 2 will also open with the new password.
Your old AxCrypt 1 files that have not been converted are as they are, and still require the original password used then.June 17, 2016 at 10:12 #3514
Thanks for that very lucid explanation.
I now need to set about decrypting rather a lot of files!