This topic contains 22 replies, has 2 voices, and was last updated by Rupert 7 months, 1 week ago.
July 8, 2016 at 07:06 #3706
I am used to the old one where it will not open a file till I input the password, so how do I sign in to do this . I do not want it opening up as soon as I click on the file. I cannot find a way to sign in.July 8, 2016 at 08:03 #3708
I’m not quite sure I follow…
You need to sign in to AxCrypt like this:
After you have signed in, files will open without needing a password and you can encrypt files without specifying a password.
You will remain signed in, until you sign out, your screen saver goes active, your computer goes to sleep, your Windows session is logged or you shut down your computer.July 20, 2016 at 18:48 #3787
Uninstalled and went back to Version 1.July 20, 2016 at 18:59 #3788
Thanks for taking time to let us know what you think.
However, we really, really do believe that it’s a step forward!
Give it a little time…
First of all – you say “The screenshot login shown on Svante’s post above is in addition to an individual encrypted file password“. This is not how it works – it’s only the first time until you’ve upgraded the old 1.x files which were encrypted with a different password than the one you made for your AxCrypt ID sign in. The upgrade is automatic for files you open, and you can also do batch conversion from the menu.
So, once the files are upgraded, and for all new files, it’s just the sign in password.
You also write “having to sign-in first time you use program in any session” and “doesn’t seem to ask for password on any subsequent encrypted document“. Well, you can’t have it both ways!
What we do, is just like AxCrypt 1. When you click on a file, we ask for the password – we just call it Sign In.
As for the fact that you don’t have to re-type the password all the time, that’s really something we’ve thought a lot about. Please do read the following http://www.axcrypt.net/blog/leaving-computer-axcrypt/ which discusses this feature and the rationale.
Also, please note, that this has always been an option for AxCrypt 1, to remember passwords, we just made it standard with AxCrypt 2 – partly because of confusion caused by the optional nature of the feature in AxCrypt 1.
Once again – thanks for letting us know. All input affects how we develop the software, and insipires us to work hard on clarifying matters such as these so that it’s clearer from the start how and why.July 22, 2016 at 21:19 #3799
I feel the same way ,I do not want it to open without me typing the password, I won’t use it .July 22, 2016 at 22:27 #3801
Before making that final decision, please read http://www.axcrypt.net/blog/leaving-computer-axcrypt/ and consider. It’s not a random decision, we put a lot of thought behind this.
SvanteJuly 26, 2016 at 00:54 #3815
I’ll just add my voice to the above users who prefer the previous model. I really, really wish you would go back to it. I would pay for that version.
I’ve read your explanation and no, it is not any more secure “theoretically” than AxCrypt’s current one password model, but in practice, it can be many times more secure. Your explanation compares AxCrypt’s “sign-in” model to entering the same password over and over again. This is a false comparison. What made the old AxCrypt so useful was that you could encrypt files with different passwords. Now, if the AxCrypt password is compromised (setting aside the fact that it leave you logged in), your entire system is accessible. File by file encryption allowed you compartmentalize this access. Yes, in theory if one password can be compromised, they all can, but this is not how things work in reality. AxCrypt’s current model is like using one password for all of your internet-related accounts. It increases usability but it massively decreases security. It’s not about a “feeling”, it’s about real access.
You also say AxCrypt is not really about local device security and to use BitLocker, etc. for that. But AxCrypt’s new model has essentially only made it useful for local device security and not much different from BitLocker in terms of practical use. Thanks.July 26, 2016 at 14:42 #3816
Thank you for your input!
Although we are not quite convinced by your arguments, it’s always good to hear different views about the issue. Although I don’t think we’ll “go back” to the old model completely, what we may do by popular demand ;-) is to make it optional to stay signed in. To be honest – I don’t see the point, but we’ve done other things that don’t really improve security to ease user adoption. As long as it doesn’t significantly hurt it, we’re fine with it.
Leaving that issue for now, I wonder if you could elaborate a little on your thinking when you say “AxCrypt’s new model has essentially only made it useful for local device security“. Here I don’t follow at all – AxCrypt is at it’s best for encrypting data that is shared via cloud services or email etc. How does your reasoning go here?July 29, 2016 at 05:31 #3823
Is thee any way to get the 1.7 version or any older version because when I right click and click decrypt it automatically decrypts it without a password, so that any one can see what you have encryptedJuly 30, 2016 at 11:16 #3828
You can always re-install version 1.7 or earlier. It is found at http://www.axantum.com/. However, please understand that version 2 will sign you out automatically when the screen saver goes active, you log out of Windows or your computer goes to sleep.
Please read http://www.axcrypt.net/blog/leaving-computer-axcrypt/ for a longer discussion of why you should not walk away from your computer regardless of what version of AxCrypt you are using.
SvanteNovember 25, 2016 at 15:06 #4726
I’m going against the flow here: I would like to have the option to automatically login without me having to type in the password.
I’m using AxCrypt to encrypt the files in the cloud only, my local files are already secure enough and I never leave my computer unattended without being locked. I frequently lock/unlock/reboot my windows session/computer and it pains me to have to login every time on top of the windows login.
There are different opinions and usage scenarios and I think the way to go is to make AxCrypt flexible enough to address the relevant ones. Setting up options to change how AxCrypt behaves on this matter would be a significant step to reach a wider variety of users, including the more advanced ones. These kind of login mode options could be configured in advanced settings not to scare or confuse new users with complexity.
As to questions like “if an automatic login is in place, then the password would have to be stored somewhere outside the program and could potentially be insecure, accessed and defeat the whole purpose of encryption”:
True that it would open the door for some security considerations but the option can be off by default and accompanied by text explaining the potential consequences and vulnerabilities, leaving the choice and responsability ultimately to the user.
It can even be simpler then that and just allow the program to launch or be controlled with the user/password as command line parameters with no changes to the GUI options, leaving the burden to secure the command line launch to the user.November 25, 2016 at 15:22 #4727
Hi João ,
I’m with you here, and I fully understand your reasoning. Unfortunately, not everyone can analyze the consequences like you have.
Regardless, adressing the issue of optional behavior around the sign in is high on the list of things to do. We’ll try to enable all levels, from your suggestion “Auto login with Windows”, to “Ask each and every time for the password”.February 17, 2017 at 13:59 #5540
I think the point here is that in practice most people do leave their computer unattended even if its to walk to the coffee machine and the 5 mins before the screensaver comes on, in an office environment is a vulnerable period when someone could click on an encrypted file and it is opened with no security. I think most people want the option to be able to know that once they close an encrypted file down then they have to enter the password to open it again without having to do two steps and sign out or lock the screen.February 18, 2017 at 07:57 #5549
The problem here is that it’s a false sense of security!
Even in real life, it’s actually quite a stretch that someone would innocently sit down at someone elses’ computer and just happen to click and open a file. I can’t really imagine a workplace where this could happen. A work computer is something quite private. It’s like leafing through someones phone, checking their dating app or email. You just don’t innocently happen to do that.
So, if someone is actually interested enough to risk the conflict, and even getting fired, to snoop around in someone elses’ computer when the rightful owner is taking a break then leaving that computer unattended and logged in to Windows is a very bad idea and once done there’s no telling what may have been installed.
For such a snooper, it’s much smarter and safer to first find a suitable listening tool software, then when the opportunity strikes spend 10-15 seconds to install it in the unattended and unprotected computer, than to sit down and start snooping around with the risk of being seen and asked awkward questions like “what the … are you doing?”.
My point being – requiring the password every time lulls the user into a false sense of security. We’d like to promote a consistent and real level of protection. Also, requiring the password every time will tend to discourage users from using really good and strong passwords, and will also discourage users for using it on many frequently used files because of the threshold to open them “Oh, no, I have type that 25 character long password again”.July 10, 2017 at 11:44 #7338
I’m happy to add my voices to the above. While this is a good OPTION, it makes no sense to require it. Why not simply allow users to specify different passwords for different files, and have each file ask for a password when it is opened? This could apply to many things, including files that require certain intellectual property rights, private files like financial documents, legal files like HIPAA other attorney files, etc. Meaning, if my wife or child or coworker uses my computer and I haven’t put it to sleep, they could potentially access files that they are legally not allowed to do. In my own field, as a researcher, often interviews and other data are sensitive and protected by institutional review boards. But I’d also like to encrypt financial files and leave those accessible to my beneficiaries, etc. AxCrypt is making some really big assumptions about how their users use the files, and then above when users have complained, you’re arguing with them about their perceptions of use. But who CARES if your users perceive security in a different way than you do? The job of a good programmer is to suit user needs and desires, not their own preconceived notions. I used to love this program, but I will probably go back to the old version or switch systems. I’m particularly annoyed that old passwords have been “updated” to reflect the new one, which I can never remember anyway since the password rules were different.