Forums Community AxCrypt 2 makes me sad… Reply To: AxCrypt 2 makes me sad…

#6533 Reply

Anonymous

Or the attacker could wait until Jennifer next types in her other password (assuming multiple passwords) and then use that to decrypt the really sensitive files. Both rely upon the attacker getting their hands on the data itself… so a key-logger and a trojan.

So it’s pretty clear you didn’t read my post. Extra steps are taken to ensure safety prior to opening the real secure files i.e. Rebooting with Shadow Defender, using Sandboxed Programs, etc.

Jennifer has serious security issues (a trojan and a key-logger) which encryption cannot solve

No. Jennifer can use encryption to protect a wide array of files, Jennifer just can’t use AxCrypt because AxCrypt is fundamentally flawed. A keylogger will not steal my VeraCrypt key within an offline VM, but if I used that same password for a less secure file then it’s entirely possible they could steal my key. Axantum claims they treat all files as though they’re in the public domain but their program shows otherwise.

The opposite is also true. Having one very secure password means the data is much more safe because the user is less likely to forget it. With multiple passwords the chances of forgetting the various passwords are far greater.

Again, this is nonsense.  By your logic it’s best to use the same password on every single web-page. Use a password manager – one which YOU can access secretly and safely i.e. KeePass with a strong password (Mine is 64 Random ASCII characters all of which I’ve memorized because I use it so frequently). It is easier to protect that single point of access in case of forgetting a password as opposed to trying to secure all access to your computer at all times.

If Jennifer is really sensible she’d use a password manager to store her really secure AxCrypt password – or is Jennifer afraid of that “single point of absolute failure” too – despite all the evidence to the contrary [on the efficacy of password managers]?

You clearly didn’t read my post, nor did you read Axantum’s post. You can control how you access a password manager, in order to securely use AxCrypt you’d have to use your secure procedures – decrypt the file/use the contents – then return to normal operation.

AxCrypt isn’t designed for advanced users – it’s designed for everyday computer users who want a simple, modern interface with mobile apps. Advanced users will use pre-scripted shell commands piped into GPG which allows them to choose their own encryption algorithm, hashing algorithm, number of iterations, file output format etc.

So you agree with me, AxCrypt v2 is for basic users with no knowledge of how Encryption works. AxCrypt v1 is far from that, it is for this reason that I will never suggest v2.

So let’s get this straight:

AxCrypt v2 can’t protect against malware’s access to their files – even through secure offline procedures.
AxCrypt v2 can’t protect against local access to the machine – due to the fact that the key is always cached and will be used (Without any prompt of any kind) by any program requesting to open the file.

So it doesn’t protect you against remote-access (as AxCrypt v1 did, as when the file was not in use you couldn’t just use a cached password to steal the contents) and it doesn’t protect you against local access. So what the hell does v2 protect you from?

The lowest common denominator AKA 99% of users. Please try breaking the encryption though – the cryptographic community and world powers would be extremely interested and you could become a multi-billionaire overnight.

You do not have to break AxCrypts encryption, Axcrypt is an insecure method of securing files, if you need local protection use Bitlocker and a secure windows password. If you need remote protection use a program that PROMPTS YOU for your password rather than storing it FOR THE ENTIRE ACTIVE PERIOD OF YOUR PC.

Want to steal an encrypted AxCrypt file remotely?

1. Set default file format to shell script to print the output to a file.
2. Simply open the .axx file (AxCrypt will decrypt it without prompt provided the user has logged in once)
3. The file is un-encrypted have fun.

I’m a user as well. I’m also a competent mathematician, programmer and engineer and I appreciate being able to use something quick and easy without all the complications and hideously archaic GPG commands that can destroy an encrypted file in an instant because of a small typographical error.

I’m also a software engineer, I also enjoy when software is easy to use, and I use AxCrypt v1 with no issues other than the lack of AES-256. If you added AES-256 to v1 I’d be gone in an instant. If you don’t want to hear user complaints maybe you shouldn’t come into a thread about how v2 isn’t meeting some users needs.

You’re criticising a developer who chooses to make his software available for free and who contributes to the open source world. If you can do any better why don’t you fork AxCrypt and we’ll all take a look at your input.

*Eye roll* Oh I’m sorry, did I anger the fanboys? I have massive respect for Axantum and I’ve used v1 for a long time, I’ve head numerous friendly interactions with them on Facebook, I was under the impression that they were intelligent, reasonable people who could handle criticism, then again I wasn’t aware that when it came to Open Source Sofware you had no right to comment. You know that I think about it, Microsoft C# is open-source too! I’ll never offer any input ever again, guess users should just re-roll the entire implementation every single time they have a criticism.

Seems you came in, read two lines of my post and began fuming over the fact that I could DARE criticize your lord and savior. I suppose instead of criticizing them and potentially seeking change I could just never buy their software. I want to buy their software and thus I’d like for it to have advanced capabilities. AxCrypt v1 served a certain audience (even having command line options) and to a significant extent v2 excludes that audience, I’m sorry for wanting to continue to be part of AxCrypt I didn’t realize it was a “No Criticism” zone.