October 9, 2016 at 08:00 #4400
In version 2, you have to first sign-in to the interface to encrypt files.
I have multiple files and want to encrypt using different passwords.
How to handle this using version 2?
With the good old version 1.x, this was not a problem. Each time it used to ask the password.October 9, 2016 at 10:58 #4403
The use of different passwords is often an unfortunate misuse of the old software. The only legitimate use-case for different passwords in AxCrypt 1 was if you wanted to share encrypted files with different teams.
Please read a longer disussion about this here: http://www.axcrypt.net/blog/use-of-different-passwords/ .October 9, 2016 at 17:50 #4407
I read that post and I agree partly with that. My scenario is I want easy to remember password for basic confidentiality of documents on local PC. Another crytographically strong password (16-32 characters in length), I keep for documents stored on cloud storage. Easy to remember passwords are not strong. Therefore I created a cryptographically strong password and only this password resides in my password manager. I have noted it down in NotePad and kept one copy in a TrueCrypt volume as well.
Coming back to one password policy implemented in AxCrypt version 2. Suppose my password gets stolen and I have to immediately change it, I will have to login to AxCrypt site and change it. But what about old files which were previously encrypted with compromised password.
Now I will have to keep track of all files which were encrypted with compromised password. Later if I find even a single file located somewhere on my system and want to decrypt it, this will not work. I suppose I will have to again change the password on AxCrypt site to get this file decrypted.
This might be a mess. Even if I agree with one password policy of AxCrypt, I want to change it once in a year.
There is no doubt password manager comes handy here.October 9, 2016 at 18:10 #4409
Here’s the thing – suppose indeed your password gets stolen! If one password gets “stolen”, you’ll have to assume all are in most cases. But with one strong password, you’ll at least be protected from the password being cracked, or guessed if it relates to your other passwords in any way.
If a password for AxCrypt-encrypted files is revealed for whatever reason, all files who were originally encrypted with that password will be possible to open. That’s just how it works, since AxCrypt is essentially still password based file encryption, although we do have some other features added on top of it.
But, what this means, is that if you do change your password for your AxCrypt ID you can still open all “old” files with their original password, as well as with the new one. For a longer discussion and explanation you might want to read http://www.axcrypt.net/blog/axcrypt-online-vs-offline/ . It’s about online vs. offline, but it ties into this very much.
You’re welcome to change your password every year, but it’s not something I recommend. Use a really good password, and keep keeping it secret. There’s not much additional security added by changing passwords unless you also at the same time re-encrypt *all* files encrypted with the old password.
Finally, always consider just what scenarios you’re really protecting against and take appropriate (not too large, not too small) measures based on that.October 10, 2016 at 08:06 #4413
Just in case I changed AxCrypt sign-in password. Now how to decrypt the files which were encrypted using any old password? Will AxCrypt automatically take care of this? If the hash is embedded in the encrypted code itself for authentication.October 10, 2016 at 08:46 #4416
Since this is about encryption, not access control, we don’t store hashes for authentication. What *is* stored in the files is an encrypted key. The actual key used to encrypt the file is a 128 or 256-bit random key you never see. Your password is used to encrypt that key.
If the existing files were encrypted with AxCrypt 2, and you *changed*, not *reset* your password they will seamlessly open with the new password. The article here: http://www.axcrypt.net/blog/axcrypt-online-vs-offline/ explains how this works.
Otherwise, AxCrypt will prompt you for the password.March 16, 2017 at 14:57 #5751
I also would prefer to be able to encrypt/decrypt files individually. Axcrypt2 functionally becomes very much like Veracrypt in that when you decrypt, all your files are functionally unencrypted. So Axcrypt loses it’s distinctiveness from other products. The reason I don’t like the idea of Veracrypt is that to use any of my encrypted files, I must unlock all of them. If someone has hacked my computer, and can copy files from it, then ALL of my sensative information is open to them. With Axcrypt1, at least the damage is minimized so they can only get the information from the one currently open file.
I understand that if you have been hacked to the extent someone is accessing your computer, you are already in a world of hurt. But I guess it makes me “feel” better knowing the whole farm isn’t wide open when I work with one file.
By the way, it seems like from a functional security standpoint, if I use the same very strong password for all my files with axcrypt1 (thus saving me from remembering multiple passwords), it would still be better security than all my files basically unencrypted at once.
BTW, Many thanks for your work over the years.March 16, 2017 at 22:00 #5752
Thanks for your input! I think the most common problem here is not really using different passwords or not, but the AxCrypt 2 behavior of remembering the password so you don’t need to / have to type it every time. This existed in AxCrypt 1 as well, but was optional (“Remember this passphrase for decryption”).
We’ll be adding an option to require the password for every time a file is opened, not because we really think it’s a good idea or necessary, but by popular demand ;-)March 16, 2017 at 22:30 #5754
Thank you for your reply. It is very gracious of you to answer all these questions and comments – it must take hours. And thank you for adding that option. I will take advantage of it.
I don’t really know how “risky” it is to have my private documents un-encrypted for a couple hours while I work with one of them. Probably a fine example of paranoia. I suppose a hacker would have to be paying attention to my one little PC at the time I have my files un-encrypted and copy them off before I am done and re-encrypt them. And I doubt a hacker can afford to sit there and watch my computer waiting for me to work with an encrypted file, so I suppose the chances of that are nearly nil. But it somehow comforts me to know that only the file I am working with is exposed at that time.
BrianMarch 16, 2017 at 22:41 #5755
You are welcome. Although we try to make AxCrypt about real security within well-defined boundaries, if we can provide both real security and a good feeling, we’ll try to do so.