Forums Community AxCrypt 2 makes me sad… Reply To: AxCrypt 2 makes me sad…

#6544 Reply

Brian

Shaun, I wasn’t giving a personal recommendation of BCArchive and I wouldn’t want to because there’s no way for me to validate what’s going on under the hood as they don’t allow you to review the source code.

It’s Windows 95-era software updated over the years but it’s never been recommended by ‘crypto gurus’. Some of the algorithms appear extremely secure but the implementation is where software most frequently fails so the most secure encryption can turn out to be extraordinarily weak if they make a small error. As it can’t be peer reviewed these errors will go undiscovered.

I only suggested it because the other user wanted to ‘feel’ safer by using multiple passwords.

AxCrypt has a relatively large user base, has been around for a number of years and been reviewed by a great many people. It’s frequently updated (majorly important), has a modern UX and it’s quick and easy to encrypt/decrypt files without all of this multiple password nonsense. It doesn’t make you any more secure using multiple passwords and gurus like Zimmerman argue that multiple passwords make you insecure even in the examples posited by RaymondLC92.

If a hacker wants your data, he’s going to get it whether it be encrypted or not, sandboxed, air-gapped or energy-gapped. There’s viable attacks against all common methods of ‘protecting’ your information.

Let me correct an common misconception. The government do not use AES-256 for information above Top Secret. True, the NSA don’t recommend AES-128 for Top Secret (only AES-256) but that’s still subject to additional caveats and there’s information far more sensitive which AES-256 is not sufficient for. They know that encryption alone doesn’t keep data safe. The government have their own algorithms developed by leading cryptographers (most of which they employ) and have been subjected to extensive cryptanalysis.

In fact most of the really sensitive data is kept on paper; and typed on daisy wheel typewriters.

I don’t have information anywhere near Top Secret. I have medical records, bank statements, tax returns and so forth and the ease of AxCrypt over the unproven security of some other software means I stick with AxCrypt along with hard drive encryption. I’m not concerned about the one password methodology because I know that if a hacker can get into my system to steal that one password then he’d be able to get at all of my information anyway.

If I make life difficult for myself by having multiple passwords, VMs, sandboxed processes and that level of paranoia then I’m opening myself up to a greater attack surface by the simple fact that:

  • I’m using multiple pieces of software (more risk of critical bugs: malicious or otherwise)
  • More chance of making a mistake and completely compromising my security
  • Using proprietary encryption methods designed to look secure, but aren’t proven
  • Having to keep a record of multiple encryption passwords
  • Moving data in and out of the VM/sandboxed process

Shaun – if people feel happier using multiple passwords, let them. Experts don’t recommend it and there’s a good reason why – and it’s nothing to do with dumbing things down. As you pointed out, most don’t understand encryption and I can guarantee that they’re making mistakes fatal to their online security.

As a closing note Windows tracks all keyboard input (including passwords) and sends it back to Microsoft even if you’ve got telemetry turned off.