Forums Community Unhappy with version 2 Reply To: Unhappy with version 2

#5473 Reply


Hi KurtW, I’m a user of AxCrypt and, whilst I preferred 1.7 because of the multiple passwords and simplicity, I know that you’re mistaken in your belief about password hashes.

Your password is sent to the AxCrypt server, so you’ve got to trust AxCrypt, but the hash on its own is useless.

AxCrypt 2 uses SHA512. Even if a hacker were to obtain the hash of the password he has three problems:

1 – The hacker would need access to your files

2 – The hacker would need the key pair used to encrypt the files

3 – A hash on its own is useless unless you know the actual password

I don’t know where you get the idea from that a hash on its own can be used to decrypt the files: that’s a fundamental misunderstanding of modern cryptographic systems. A good hashing technique (like SHA512) should be non-reversible* without the correct password.

*Within a reasonable period of time. SHA512 can resist a brute force attack for trillions of years if your password is strong enough.

There used to be a technique known as pass the hash but this was only on specific types of systems which used old-school cryptography. This is no way applicable to AxCrypt 1 or 2 as you will realise if you read/understand the technical details.

The password used for login is to retrieve the public/private keys from the server. The private key (used to decrypt) is useless without the correct password. AxCrypt have said they do not keep a copy of the password.

So whilst in theory a hacker could obtain the public/private keys and password hash from the server he’d still not be able to access your files even if he had access to them. One possible attack in the scenario you posit would be if he were to somehow intercept the website traffic: however it’s encrypted over TLS/SSL. The other possible attack would be if he were to install keystroke interception software on your computer. But if you allow such software to be installed on your computer (either through ignorance or by not using anti-virus) then there’s no point in him wasting time trying to break the encryption because he can just steal the files from your system when they’re next in an unencrypted state.