Forums Help & support New version of Axcrypt – why 2 passwords now?

This topic contains 10 replies, has 2 voices, and was last updated by  Svante 1 year, 2 months ago.

Viewing 11 posts - 1 through 11 (of 11 total)
  • Author
    Posts
  • #6091 Reply

    Jeff S

    With the older version of Axcrypt – I only needed 1 password to open files.   With the newer version I now have 2 passwords – why?   Did I choose that or install with features I didnt want/need?

    #6093 Reply

    Klaus

    You don’t need two passwords.

    • You’ll be asked for your AxCrypt 1.7 password to decrypt the file. Obviously no password = cannot decrypt.
    • You’ll be asked for your AxCrypt 2 password once a day or until you lock your system

    Your AxCrypt 1.7 files will be automatically converted to AxCrypt 2 files. As soon as this has completed you’ll only be prompted for your AxCrypt 2 password.

    #6096 Reply

    Jeff S

    Im opening the same file everytime at least once or twice a week in Google Cloud – But Im still getting 2 password prompts.

    See uploaded pic of both password prompts:

    #6104 Reply

    Svante
    Keymaster

    Hello Jeff,

    As Klaus explains – you should only be asked for a second password if the file was not encrypted with the password you use to sign to AxCrypt with.

    If the file in question is encrypted with AxCrypt 1.x, it will automatically be re-encrypted using the sign-in password – thus eliminating the extra prompt the next time. Provided you have a sufficiently modern version of AxCrypt installed, and you have not disabled the option.

    I can’t tell what version you have, or what version the file is encrypted with. You can see this in the main window title bar and the recent files list.

    #6115 Reply

    Frank

    Make sure the Auto Convert 1.x Files.

    If you still get prompted each time (for the same file) for both passwords then decrypt it and then encrypt it again but this shouldn’t be required. The proper solution is to ensure your checkbox for Auto Convert is ticked.

    #6120 Reply

    skeptical

    So, let’s get this straight:

    1. Axcrypt only allows one password for all of your files.

    2. You must tell Axcrypt what your password is.

    This gives Axcrypt access to your encrypted files.  They now have the power to give your passwords to government agencies with access to our Dropbox/OneDrive accounts, or just sell it to the highest bidder.  Even if there is no explicit malicious intent, this is very poor security practice, because Axcrypt is vulnerable to having their data stolen by hackers, just like everyone else.

    If you want to protect your files, use a truly open-source encryption tool supported by non-profits and privacy advocacy groups.  It doesn’t take much searching online to find safe and free alternatives to these shenanigans.

     

    #6121 Reply

    George

    “This gives Axcrypt access to your encrypted files.”

    In a word: rubbish. AxCrypt is not a cloud solution, i.e. only a user has access to his files. You use your existing cloud storage or physical storage solution to keep your files on. AxCrypt couldn’t access your files even if they wanted to.

    “They now have the power to give your passwords to government agencies with access to our Dropbox/OneDrive accounts, or just sell it to the highest bidder.”

    If you’re concerned about government agencies then no amount of encryption will help you. But if you’re paranoid then toggle the “Always Offline” option. Sorted.

    “Even if there is no explicit malicious intent, this is very poor security practice, because Axcrypt is vulnerable to having their data stolen by hackers, just like everyone else.”

    Nope. AxCrypt don’t store your password so what is there to steal? If you’re paranoid, use the “Always Offline” option.

    “If you want to protect your files, use a truly open-source encryption tool supported by non-profits and privacy advocacy groups. It doesn’t take much searching online to find safe and free alternatives to these shenanigans.”

    AxCrypt IS truly open-source. If you don’t want to use it, don’t. Your computer = your choice. I’d recommend you read the posts from people on here who know what they’re talking about: if you’re a TAO target then you might as well call it quits – the government have access to your computers, files. Most people recognise that the NSA have multiple vulnerabilities for Windows (i.e. unpatched ones) which they can use to gain access to your system. They’ve broken systematically into every operating system (Linux, OpenBSD) and all web cryptography (including TLS). As a nation state it’s game over if that is your concern.

    No “shenanigans” involved.

    #6124 Reply

    Svante
    Keymaster

    Hello skeptical,

    George has actually responded correctly, if somewhat strongly perhaps, to your concerns. In this case, since I’m the author of AxCrypt, having designed it all and programmed most of it, I think it might be appropriate with a personal response as well.

    First, I’d like to remind everyone here that we’re all friends and let’s keep the tone civil. No need for derogatory terms etc, let’s stick to fact and sometimes opinions without those extra words which bear no extra information.

    Here’s the thing about “You must tell Axcrypt what your password is” and “This gives Axcrypt access to your encrypted files“. How else could it possibly be? This is the same for 100% of cryptographic solutions – somewhere there is software that accepts your password, and thus knows it!

    I think what you’re really trying to say is “You must send your password to a remote server, which gives the software or operator of that server potential access to your encrypted files – if the operator or software developer has malicious intent. It might give hackers potential access if the operator or software developer is sloppy or incompetent.” This *is* true, but it’s the same regardless of where the software is executing – on your PC or our servers.

    Here’s the real difference:

    Your PC: A machine with probably literally 100s of installed softwares from all kinds of sources, with absolutely no chance for you to be really sure of the quality or intent of said softwares, and often installed more or less at whim for a moments need. A machine which is operated by a human (you, and possibly your family, kids, kids friends, spouse, friends, collegues etc), making decisions of where to click, what to type, what to download, what sites to visit many, many times a day. All of those decisions with the potential of being wrong. One wrong click, site visit or download is enough to compromise your PC. It’s also a machine which is often moved between public and private wireless networks, often left unattended, sometimes even with Windows signed in while you get a coffee or whatever. A machine which is used for countless purposes, work, play, media etc with software installed for all those reasons. All that software with the risk of bugs and security vulnerabilities. A machine typically with lots of ports open to the Internet to make all those functions and file sharing etc work.

    Our Server: A machine with the absolute minimum of installed softwares, with each and every one carefully vetted before installation. A machine with no extra functions except what it needs to do. No play. No games. No media. Not even a database – we rolled our own no-sql to 100% remove the risk of SQL-injection attacks. It never moves. We never use a browser. It has a total of 3 ports open to the Internet: HTTP, HTTPS and SSH. It is operated by a single dedicated professional, with a single purpose – and quite infrequently at that.

    Now, which environment do you honestly believe to be the most safe, secure and trustworthy?

    Remember – if you’re using ours (or anyone elses cryptographic application) you’re going to be executing that code. So you have to trust the code. You’re giving the code not only your password, but literally every byte of confidential information you encrypt or decrypt will go through that software.

    Since you must trust the code in order to use it – given the above, just what environment is really the greatest risk to run that code in?

    If security is only as strong as it’s weakest link – where’s the weak link here?

    For a technical description of what we do, and what we actually store on the server, please check out https://www.axcrypt.net/documentation/technical/ . For the full source code of the core libraries and the Windows application, go to https://www.bitbucket.org/axantum/axcrypt-net/ .

    To summarize what we keep on the server: A file encrypted with AxCrypt using your password.

    What scenario is AxCrypt designed to protect you in: A file encrypted with AxCrypt using your password being accessed by the wrong person.

    In other words, should data leak from our server, it’s actually just an application of the exact scenario AxCrypt is intended to handle in the first place. If your password is good enough, no harm is actually done.

    #6130 Reply

    Jeff S

    I am using AxCrypt 2.1.1481.0.   I think I once used AxCrypt 1.8 or ??

    I have AxCrypt 2.1.1481.0 on all my laptops now.  And am still getting a double password.  My AxCrypt’ed file is on my google drive.  Scares me to death when I try to open one of my critical Axcrypted files – hoping I dont forgot both passwords.

    Jeff S.

    #6131 Reply

    Neil

    Jeff S,

    You’ll need to contact AxCrypt support by email then.

    This is a user-led forum and people on here have told you how to stop getting asked for two passwords. You’ve not told us what configuration you’re using so we can’t help you.

    What you’re describing (two passwords) is not normal behaviour so you’ll need to contact AxCrypt directly sending full logs and screenshots.

    #6132 Reply

    Svante
    Keymaster

    Hello Jeff S,

    Neil is quite right – please contact our support. If you have Premium (Trial or Paid), sign in to https://www.axcrypt.net/ and start a Premium support ticket. If not, please email to: support att axcrypt dott net .

Viewing 11 posts - 1 through 11 (of 11 total)
Reply To: New version of Axcrypt – why 2 passwords now?
Your information: