This topic contains 64 replies, has 3 voices, and was last updated by Anonymous 4 years, 1 month ago.
-
AuthorPosts
-
Ben LangtonAxCrypt 2 makes me sad…Axantum created a nice utility (AxCrypt) and then made it totally different, and useless (AxCrypt 2). I wish you had named AxCrypt 2 something totally different; it bears no resemblance to AxCrypt 1. The only reason I upgraded from AxCrypt 1 was because of an apparent bug that kept locking my encrypted file, so I couldn’t save changes in NotePad++.
Why would I only want to be able to use one password to encrypt files?
Why would I want to give Axantum the password to all of my encrypted files (yes, I know that you claim not to store the passwords; I even believe you, but still…)
Why would I want to have to sign in to encrypt or decrypt a file?
AxCrypt 1 was so simple and useful; AxCrypt 2 is overly complex and confusing; I just wasted 20+ minutes trying to figure out how to use it, and now that I understand how to use it, I’ll be uninstalling it immediately, and looking for a different utility that works the way AxCrypt 1 did.
Very unfortunate.
TimWhy would I only want to be able to use one password to encrypt files?
Their official statement on that is here: Use of different passwords considered harmful
Why would I want to give Axantum the password to all of my encrypted files (yes, I know that you claim not to store the passwords; I even believe you, but still…)
This is why I use AxCrypt in “Always Offline” mode because it never connects to the internet.
Why would I want to have to sign in to encrypt or decrypt a file?
<b>Signing in means the decryption key is stored in AxCrypt’s local memory. If you need to work with multiple files like I do then being able to double click on a file and not have to type in a long password each time (and in AxCrypt 1.7 you had to remember to encrypt it again) then the new model makes much more sense.</b>
Leave AxCrypt 2 running in the background whilst you’re logged on and you don’t need to enter a password each time. Log off and the password is wiped from memory.
AxCrypt 1 was so simple and useful
What’s there to stopping you from reinstalling it, apart from the bug in Notepad++ you talk about? Both versions of AxCrypt were/are free and provided as-is.
RaymondLC92I agree with you Ben, I was actually just about to write up a long winded post on this very topic.
Axantum seems to have taken the stance that the greatest threat to security is the user i.e.:
– If a user picks a password they will pick a weak one.
– If a user can pick multiple passwords they will pick multiple weaker ones.Axantum will thus treat you as a child and control the way you secure your files, much the same way Microsoft enforces updates on users – regardless of the negative outcomes. The thought process is “Users are stupid, we have to protect them from themselves”.
Evidence of this thinking can be found by walking through Axantum’s statement found here: https://forum.axcrypt.net/blog/use-of-different-passwords/
The second, using different passwords for yourself, is a little counterintuitive perhaps but the truth is – there is no need, and no benefit.
So first of all this is patently false, it’s an asinine assumption, and it’s wrong in just about every way.Let’s say that our end-user is Jennifer, she has some files she wants to keep very secure (i.e. Smexy photos) and some files she’s less concerned about say a daily journal. We’ll imagine that Jennifer – like myself – LOVES encryption, she uses it on anything and everything that deserves any amount of privacy.
Jennifer is very careful, she accesses her Sexy photos via sandboxed programs which can’t connect to the internet to prevent leaks, for some files she even scans her computer and disconnects her internet. Her Daily Journal however isn’t really that big a deal to her, she values keeping it private but nowhere NEAR as much as she does her Sexy photos! Maybe Jennifer uses my current setup with Shadow Defender and restarts prior to accessing her most private files.
Axantum – in contrast – has determined that all of your encrypted files are of equal value, there is no need to protect them differently.
You decide to do some online surveys (Jennifer is hugely into Swag Bucks) and then update your Daily Journal, unfortunately you contract a drive-by keylogger *GASP* and it records your login to AxCrypt. Congratulations, all of your files are now vulnerable. Not only can the attacker steal your Daily Journal but they can steal your Sexy Photos as well.
Axantum has now created a situation where you are AFRAID of using AxCrypt’s encryption (this is the very situation they were trying to avoid) because if you use it on non-critical files you’ll have to do extra work to keep them as safe as you keep your most critical files. After all if you don’t treat your access to all your encrypted files the same then you jeopardize your most secure files!
It might *feel* better, but it’s not the solution to any problem. One aspect is that having many passwords will most likely be more inconvenient and thus make you less prone to use encryption.
I wonder, Would Axantum devs use the same password on every single website they visit? I certainly hope not. Remember, your feelings and any justification you have are irrelevant to Axantum, their design principles control the way the program works. Axantum fears you will put your feelings ahead of security, and thus it prevents you the choice.
That’s bad, you don’t have that added protection. Also, it increases the risk of forgetting one of them.
What would happen if you forget the ONE PASSWORD which encompasses all of your files? Congratulations you’ve introduced a single point of absolute failure.
Axantum’s biggest threat to encryption isn’t malware or hackers – it’s YOU. Axantum thinks you’re lazy, it thinks you’re forgetful, and it thinks you know nothing about your own behavior.
“If it’s too hard they’ll just be lazy!”
“If we let them pick multiple passwords they might forget one”It all comes down to: “If we allow users a choice, they will pick the incorrect choice”
Don’t get me wrong, Axantum isn’t being intentionally malicious or insulting they’re just treating all users – even the most advanced and cautious users – as though they’re as forgetful, misinformed, and lazy as the lowest user.
AxCrypt 2 is not for highly security conscious users, it’s serves the lowest common denominator.
This isn’t my only complaint with AxCrypt 2 but it is by far my biggest.
BrianYou decide to do some online surveys (Jennifer is hugely into Swag Bucks) and then update your Daily Journal, unfortunately you contract a drive-by keylogger *GASP* and it records your login to AxCrypt. Congratulations, all of your files are now vulnerable. Not only can the attacker steal your Daily Journal but they can steal your Sexy Photos as well.
If an attacker can insert a drive-by key-logger then she’s got serious issues because the same attacker can see all the unencrypted data on the system including any temporary caches of the really sensitive data.
Or the attacker could wait until Jennifer next types in her other password (assuming multiple passwords) and then use that to decrypt the really sensitive files. Both rely upon the attacker getting their hands on the data itself… so a key-logger and a trojan.
Jennifer has serious security issues (a trojan and a key-logger) which encryption cannot solve. Jennifer should also educate herself on how to use a computer, avoid malware sites and she should install up-to-date antivirus, firewall and anti-spyware protection.
Axantum has now created a situation where you are AFRAID of using AxCrypt’s encryption (this is the very situation they were trying to avoid) because if you use it on non-critical files you’ll have to do extra work to keep them as safe as you keep your most critical files.
AxCrypt haven’t created this situation and people aren’t afraid of using AxCrypt because it only uses one password.
What would happen if you forget the ONE PASSWORD which encompasses all of your files? Congratulations you’ve introduced a single point of absolute failure.
The opposite is also true. Having one very secure password means the data is much more safe because the user is less likely to forget it. With multiple passwords the chances of forgetting the various passwords are far greater.
If Jennifer is really sensible she’d use a password manager to store her really secure AxCrypt password – or is Jennifer afraid of that “single point of absolute failure” too – despite all the evidence to the contrary [on the efficacy of password managers]?
Don’t get me wrong, Axantum isn’t being intentionally malicious or insulting they’re just treating all users – even the most advanced and cautious users – as though they’re as forgetful, misinformed, and lazy as the lowest user.
AxCrypt isn’t designed for advanced users – it’s designed for everyday computer users who want a simple, modern interface with mobile apps. Advanced users will use pre-scripted shell commands piped into GPG which allows them to choose their own encryption algorithm, hashing algorithm, number of iterations, file output format etc.
AxCrypt is intended for people who want the simplicity of something like an iPhone. Design it simply and more people will use it. Design it so that only tech savvy (advanced) users can understand it and the everyday user won’t use it.
Advanced users are unlikely to ever use AxCrypt because the alternatives GPG and OpenSSL have been out there for years and integrate tightly into their existing workflow like SSH. So what’s the point in implementing lots of bells and whistles if that’s not their target audience?
AxCrypt 2 is not for highly security conscious users, it’s serves the lowest common denominator.
The lowest common denominator AKA 99% of users. Please try breaking the encryption though – the cryptographic community and world powers would be extremely interested and you could become a multi-billionaire overnight.
This isn’t my only complaint with AxCrypt 2 but it is by far my biggest.
Don’t use it then; there’s lots of other software out there.
I’m a user as well. I’m also a competent mathematician, programmer and engineer and I appreciate being able to use something quick and easy without all the complications and hideously archaic GPG commands that can destroy an encrypted file in an instant because of a small typographical error.
You’re criticising a developer who chooses to make his software available for free and who contributes to the open source world. If you can do any better why don’t you fork AxCrypt and we’ll all take a look at your input.
AnonymousOr the attacker could wait until Jennifer next types in her other password (assuming multiple passwords) and then use that to decrypt the really sensitive files. Both rely upon the attacker getting their hands on the data itself… so a key-logger and a trojan.
So it’s pretty clear you didn’t read my post. Extra steps are taken to ensure safety prior to opening the real secure files i.e. Rebooting with Shadow Defender, using Sandboxed Programs, etc.
Jennifer has serious security issues (a trojan and a key-logger) which encryption cannot solve
No. Jennifer can use encryption to protect a wide array of files, Jennifer just can’t use AxCrypt because AxCrypt is fundamentally flawed. A keylogger will not steal my VeraCrypt key within an offline VM, but if I used that same password for a less secure file then it’s entirely possible they could steal my key. Axantum claims they treat all files as though they’re in the public domain but their program shows otherwise.
The opposite is also true. Having one very secure password means the data is much more safe because the user is less likely to forget it. With multiple passwords the chances of forgetting the various passwords are far greater.
Again, this is nonsense. By your logic it’s best to use the same password on every single web-page. Use a password manager – one which YOU can access secretly and safely i.e. KeePass with a strong password (Mine is 64 Random ASCII characters all of which I’ve memorized because I use it so frequently). It is easier to protect that single point of access in case of forgetting a password as opposed to trying to secure all access to your computer at all times.
If Jennifer is really sensible she’d use a password manager to store her really secure AxCrypt password – or is Jennifer afraid of that “single point of absolute failure” too – despite all the evidence to the contrary [on the efficacy of password managers]?
You clearly didn’t read my post, nor did you read Axantum’s post. You can control how you access a password manager, in order to securely use AxCrypt you’d have to use your secure procedures – decrypt the file/use the contents – then return to normal operation.
AxCrypt isn’t designed for advanced users – it’s designed for everyday computer users who want a simple, modern interface with mobile apps. Advanced users will use pre-scripted shell commands piped into GPG which allows them to choose their own encryption algorithm, hashing algorithm, number of iterations, file output format etc.
So you agree with me, AxCrypt v2 is for basic users with no knowledge of how Encryption works. AxCrypt v1 is far from that, it is for this reason that I will never suggest v2.
So let’s get this straight:
AxCrypt v2 can’t protect against malware’s access to their files – even through secure offline procedures.
AxCrypt v2 can’t protect against local access to the machine – due to the fact that the key is always cached and will be used (Without any prompt of any kind) by any program requesting to open the file.So it doesn’t protect you against remote-access (as AxCrypt v1 did, as when the file was not in use you couldn’t just use a cached password to steal the contents) and it doesn’t protect you against local access. So what the hell does v2 protect you from?
The lowest common denominator AKA 99% of users. Please try breaking the encryption though – the cryptographic community and world powers would be extremely interested and you could become a multi-billionaire overnight.
You do not have to break AxCrypts encryption, Axcrypt is an insecure method of securing files, if you need local protection use Bitlocker and a secure windows password. If you need remote protection use a program that PROMPTS YOU for your password rather than storing it FOR THE ENTIRE ACTIVE PERIOD OF YOUR PC.
Want to steal an encrypted AxCrypt file remotely?
1. Set default file format to shell script to print the output to a file.
2. Simply open the .axx file (AxCrypt will decrypt it without prompt provided the user has logged in once)
3. The file is un-encrypted have fun.I’m a user as well. I’m also a competent mathematician, programmer and engineer and I appreciate being able to use something quick and easy without all the complications and hideously archaic GPG commands that can destroy an encrypted file in an instant because of a small typographical error.
I’m also a software engineer, I also enjoy when software is easy to use, and I use AxCrypt v1 with no issues other than the lack of AES-256. If you added AES-256 to v1 I’d be gone in an instant. If you don’t want to hear user complaints maybe you shouldn’t come into a thread about how v2 isn’t meeting some users needs.
You’re criticising a developer who chooses to make his software available for free and who contributes to the open source world. If you can do any better why don’t you fork AxCrypt and we’ll all take a look at your input.
*Eye roll* Oh I’m sorry, did I anger the fanboys? I have massive respect for Axantum and I’ve used v1 for a long time, I’ve head numerous friendly interactions with them on Facebook, I was under the impression that they were intelligent, reasonable people who could handle criticism, then again I wasn’t aware that when it came to Open Source Sofware you had no right to comment. You know that I think about it, Microsoft C# is open-source too! I’ll never offer any input ever again, guess users should just re-roll the entire implementation every single time they have a criticism.
Seems you came in, read two lines of my post and began fuming over the fact that I could DARE criticize your lord and savior. I suppose instead of criticizing them and potentially seeking change I could just never buy their software. I want to buy their software and thus I’d like for it to have advanced capabilities. AxCrypt v1 served a certain audience (even having command line options) and to a significant extent v2 excludes that audience, I’m sorry for wanting to continue to be part of AxCrypt I didn’t realize it was a “No Criticism” zone.
BrianSo it’s pretty clear you didn’t read my post. Extra steps are taken to ensure safety prior to opening the real secure files i.e. Rebooting with Shadow Defender, using Sandboxed Programs, etc.
I did read your post but you gave a hypothetical strawman, by the name of Jennifer, who was being affected by drive-by downloads. Lots of malware can break out of sandboxes – the research is freely available online. There are numerous other methods of stealing data from secure environments.
The majority of users aren’t rebooting their computers left, right and centre. They don’t care about security and those that do only take minimal steps to secure it. The smaller proportion who encrypt their files manually use AxCrypt or other encryption software and an even smaller proportion still use offline methods.
A keylogger will not steal my VeraCrypt key within an offline VM
Theoretically it could, even within a VM which is not supposed to have access to the host.
Again, this is nonsense. By your logic it’s best to use the same password on every single web-page.
No, it’s a different example. Every website has different security standards. AxCrypt relies upon one hashing algorithm and one encryption algorithm and you can examined the source code.
You can control how you access a password manager, in order to securely use AxCrypt you’d have to use your secure procedures – decrypt the file/use the contents – then return to normal operation.
People don’t use these “secure procedures”. Read the comments out there about encryption software – “I use it because it’s so simple”, “I don’t have to do anything”. That is the mentality of your average user.
So you agree with me, AxCrypt v2 is for basic users with no knowledge of how Encryption works. AxCrypt v1 is far from that, it is for this reason that I will never suggest v2.
It’s for basic users but not necessarily those without any knowledge of how encryption works. As long as the user isn’t paranoid then it’s just fine.
You can still use v1, it’s not being developed any more but it works perfectly well.
If you need remote protection use a program that PROMPTS YOU for your password rather than storing it FOR THE ENTIRE ACTIVE PERIOD OF YOUR PC.
Just sign out of AxCrypt after you’ve finished with your files. Somebody operating your suggested “secure procedures” won’t have any difficulties doing this.
I’m also a software engineer, I also enjoy when software is easy to use, and I use AxCrypt v1 with no issues other than the lack of AES-256. If you added AES-256 to v1 I’d be gone in an instant.
I do not work for AxCrypt. It’s not for me to add AES-256 to version 1. If you want to do it then you’re more than welcome; it’s open source and trivial to implement. Just use a respected cryptographic library.
If you don’t want to hear user complaints maybe you shouldn’t come into a thread about how v2 isn’t meeting some users needs.
See above. I’m a user.
I’m sorry for wanting to continue to be part of AxCrypt I didn’t realize it was a “No Criticism” zone.
You’re entitled to your opinion. It’s just that you’re complaining about AxCrypt v2 when AxCrypt v1 meets your needs and AxCrypt v2 is a new paradigm… which nobody is forcing you to use.
AnonymousTheoretically it could, even within a VM which is not supposed to have access to the host.
Theoretically you’re never safe. It’s about reducing your attack surface and making it cost prohibitive to attackers, I make the relatively safe assumption that the overwhelming majority of attackers will make no such provisions – especially ones that already bypass my other layers of security.
People don’t use these “secure procedures”.
Apparently me, the OP, and just about every Engineering friend I have are not people, who knew?
You can still use v1, it’s not being developed any more but it works perfectly well.
Yes, but you do not get the protection of AES-256.
Just sign out of AxCrypt after you’ve finished with your files. Somebody operating your suggested “secure procedures” won’t have any difficulties doing this.
You can no longer do this from the context-menu, additionally you are STILL forced to use one password for every file.
You’re entitled to your opinion. It’s just that you’re complaining about AxCrypt v2 when AxCrypt v1 meets your needs and AxCrypt v2 is a new paradigm… which nobody is forcing you to use.
My ideal system is somewhere between AxCrypt v1 and AxCrypt v2, nobody is forcing me to use it, nobody is forcing me to recommend it. I guess if Axantum doesn’t want my money – or my recommendations to all the countless machines I operate for friends and family – then that’s fine. Personally I like Axantum as a company, I find them transparent and speedy and relatively friendly, I’d prefer to support them but clearly the software as you said isn’t meant for advanced users who like to take security into their own hands.
BrianApparently me, the OP, and just about every Engineering friend I have are not people, who knew?
Then you’re not in the majority nor are you average users.
Yes, but you do not get the protection of AES-256.
No, but AES-128 hasn’t been broken and is nowhere close to being broken. But if you want AES-256 then code it yourself or use GPG.
You can no longer do this from the context-menu, additionally you are STILL forced to use one password for every file.
You can; I’ve just tried it myself in version 2.1.1502.0.
There are two methods:
- File > Sign Out
- Right click on the tray icon (when AxCrypt is minimised) and click Sign Out
Yes, you are still forced to use a single password but that’s their avowed design intent in v2.
Personally I like Axantum as a company, I find them transparent and speedy and relatively friendly
If you’re an advanced user and your “ideal system is somewhere between AxCrypt v1 and AxCrypt v2” then try this software and come back and let me know how you get on.
It provides public key encryption, various algorithms, configurable hash, user-defined iterations, per-file encryption, volume encryption and self-extracting executables but it’s not truly open source.
It’s extremely secure but for me nowhere near as convenient as AxCrypt.
RaymondLC92https://www.jetico.com/bcarchive.exe
https://www.jetico.com/web_help/PDF/BCArchive.pdfSounds a lot like GPG4Win which uses Kleopatra, I’ll give it a shot and see how it goes.
The problem is that those programs usually rely on Certificates\Key-pairs rather than simple passwords, you’ll never see the simplicity of AxCrypt v1 in those programs i.e. Right Click -> Encrypt -> Enter Password.
AxCrypt is an example of something that did something and did it exceptionally well.
You can; I’ve just tried it myself in version 2.1.1502.0.
I was attempting it via right-clicking the encrypted file, didn’t think of the tray that’s far more usable though it expands my list of “Things that must be not be hidden in the tray”.
Perhaps I’ll load up a VM and just give a variety of such tools a spin as I do with anti-virus applications.
No, but AES-128 hasn’t been broken and is nowhere close to being broken. But if you want AES-256 then code it yourself or use GPG.
True it’s not that I’m not safe right now (Still using v1) but that I may not be safe in the future, and given v1 has been replaced by v2 it won’t be updated, I also won’t get the improved UI and other features of V2 so it’s a bit of a toss up.
I usually rely on the NIST: https://www.keylength.com/en/4/
So it’s safe into the foreseeable future, certain organizations such as the NSA have stopped recommending it for top secret materiel.
RaymondLC92Can’t figure out for the life of me why the block-quotes don’t seem to work.
BrianRaymondLC92, BCArchive allows you to encrypt with just a password. It has shell integration so that you can right click on files and enter a password to encrypt.
Unfortunately Windows hides AxCrypt in the tray. That’s a problem with Windows. The other method is the file menu.
Block quotes don’t work for some reason.
Hello all!
Just a quick note from me, Svante, the developer of both AxCrypt 1 and 2.
To be honest – I’ve only read through the longer posts superficially, but I think I get the general drift. First some undisputable facts:
– AxCrypt 1 was made by me, myself and I with my own private fully own one-man company Axantum Software AB. (AB is a swedish form of incorporation, somewhere between LLC and Inc.),
– AxCrypt 2 is made by me and small team of developers, designers, etc from the company AxCrypt AB in which I am co-owner and co-founder which has the rights to use the AxCrypt brand, sites etc, granted by Axantum Software AB.
AxCrypt 1 is a Windows-only simple password based AES-128 file encryption software written in C++, which has on the plus-side been very stable for almost 15 years, and on the minus side not really been developed at all for 15 years. The cool thing is that it’s still useful! AxCrypt 1 is entirely free and only released under the GPL license.
AxCrypt 2 is multi-platform hybrid client and SAAS infrastructure which includes a key server for public key based secure sharing of encrypted files, a online password manager, and support for AES-256 and RSA-4096 for the PKI parts. It is written in C# and currently is released on Windows, Android, iOS. Soon Mac OS X. We may even go Linux it’s not a big step. AxCrypt is GPL open source and free for some functionality on the Windows platforms. Advanced features, keyserver, stronger encryption, other platforms require a paid subscription plan.
Just clearing those things up first.
Then, apart from some issues with the tone of voice in the discussion, I essentially agree. Yes, both are right.
What I want AxCrypt to be, and I think it is until proven otherwise, is properly implemented strong encryption with clearly defined security and as simple a model as possible to analyze. There are always attack vectors, and we try to be very open with what they are. We want this strong encryption utility to be packaged in such a simple and easy to use package, that just about anyone can install it and use it.
I will not agree that I think AxCrypt users are stupid, ignorant or whatever was mentioned above. However, I have 15 years of experience dealing with support issues from a total of perhaps 10 million users. A very, very small percentage of these users have any issues at all. But from the ones that do, I have seen patterns of common mistakes sometime causing dataloss due to mistyped or forgotten passwords. Most of the things that AxCrypt 2 is criticized for above are functions defined as a result of specific, concrete and actual situations with actual users.
So, yes, AxCrypt is made to be encryption for the masses. The 99%. Not the 1%. I think the biggest reason why encryption is not more widely used is because 99% of the software, caters to the 1% of the users. I’m trying to change that.
But, please! I like criticism, in fact, that’s the other big inspiration for developing how AxCrypt works. So keep it coming!
- This reply was modified 7 years, 5 months ago by Svante.
AnonymousI will not agree that I think AxCrypt users are stupid, ignorant or whatever was mentioned above. However, I have 15 years of experience dealing with support issues from a total of perhaps 10 million users.
Just to clarify I wasn’t trying to imply that the users were mentally inept, only that AxCrypt v2 seems to be built for the most forgetful, most likely to improperly configure, etc.
It’s a pattern of design that is becoming exceptionally common, software developers build for the worst possible user-scenario and usually that means restricting advanced users in order to prevent said user scenarios from being self-inflicted.
A very, very small percentage of these users have any issues at all. But from the ones that do, I have seen patterns of common mistakes sometime causing dataloss due to mistyped or forgotten passwords. Most of the things that AxCrypt 2 is criticized for above are functions defined as a result of specific, concrete and actual situations with actual users.
So, yes, AxCrypt is made to be encryption for the masses. The 99%. Not the 1%. I think the biggest reason why encryption is not more widely used is because 99% of the software, caters to the 1% of the users. I’m trying to change that.
True, I suppose I’m just frustrated with the rate at which advanced users are getting left out in the cold.
Kaspersky had a spin where they removed the “Advanced Settings” options and Microsoft has opted to force updates on everyone because some people won’t update, but as you can imagine the list goes on and it’s become a worrying trend.
I suppose the shock of AxCrypt 2 being a basic user program comes with the fact that everyone I have using it struggles to understand it. When they Encrypt their files they usually act shocked when it just opens as they don’t understand the concept of a cached key.
Speaking of Keys: Does AxCrypt v2 Utilize the password itself to encrypt files or does it operate as ProtonMail does and use a password purely for authentication and use a generated key to do the encryption?
AxCrypt installation with my family has gone something like:
1. Install AxCrypt.
2. Re-configure power settings so the machine returns to sleep\lock-screen after inactivity.
3. Ensure they create a strong password for their AxCrypt account as this is the password for encryption.
4. Ensure they know that anyone can access their data unless a sign-out is triggered via sleep\signout or done manually.Barring the lack of multiple passwords I’d say that the possibility to “auto sign-out” based on time delay or termination of the child program is my second most important issue.
That being said I’ve actually moved from AxCrypt V1 to BCArchive as it’s pretty much exactly what I want though AxCrypt does do certain things better i.e. Secured Folders and Key Sharing. Suppose you can’t get everything you want though without writing it yourself.
ShaunI suppose the shock of AxCrypt 2 being a basic user program comes with the fact that everyone I have using it struggles to understand it. When they Encrypt their files they usually act shocked when it just opens as they don’t understand the concept of a cached key.
Another AxCrypt 2 customer here.
I used AxCrypt 1 and AxCrypt 2 and I find the newest version easier. I don’t understand how people “act shocked when it just opens”. Surely the fact that AxCrypt remembers your password is just the same as logging into your email? You don’t type that password in every time you open an email, the same is true with AxCrypt. And if you leave your email account logged in, anybody can access it.
Maybe they were used to single passwords but there’s nothing controversial with remembering a password
Speaking of Keys: Does AxCrypt v2 Utilize the password itself to encrypt files or does it operate as ProtonMail does and use a password purely for authentication and use a generated key to do the encryption?.
AxCrypt 2 uses a password for symmetric encryption and it uses a public key for asymmetric encryption. Until you use the key-sharing feature it’s symmetrically encrypted. I’ve used the source code to recompile the software and it works exactly like I’ve described.
Re-configure power settings so the machine returns to sleep\lock-screen after inactivity.
You can also set a screensaver which is what I have done.
Barring the lack of multiple passwords I’d say that the possibility to “auto sign-out” based on time delay or termination of the child program is my second most important issue.
That being said I’ve actually moved from AxCrypt V1 to BCArchive as it’s pretty much exactly what I want though AxCrypt does do certain things better i.e. Secured Folders and Key Sharing.
BCArchive is great but it’s not being actively developed. The company, Jetico, are understandably focusing on their paid products. They are re-releasing BCArchive every year with an updated copyright date in the software however.
It’s a well-known product but there’s a couple of good reasons it’s never used much or recommended – it’s not open source (a major concern) and it uses insecure encryption algorithms.
You also have to trust that Jetico haven’t installed any backdoors – they don’t allow you to examined the source code, unlike AxCrypt.
If you use the wrong key algorithm in BCArchive like GOST then you’re immediately insecure. They don’t warn you and they use questionable hashes like SHA3-512. If you choose something more secure like Serpent you can still make yourself insecure if you choose a bad hash.
What do you mean when you say BCArchive don’t support “Key Sharing”? It’s the “Public key encryption” option. It’s not as transparent to use as AxCrypt but, if you consider yourself an advanced user, it shows that you don’t really understood how encryption works and I think that’s the point Svante and Brian are trying to make. You can have proficient computer users but that doesn’t mean they’re proficient users of encryption.
BCArchive doesn’t support “Secured Folders” so you’ve got to manually encrypt any files. You’ve also got to manually encrypt any decrypted files after you’ve finished using them. And then you have to manually flush your cache to purge data remnants; AxCrypt does this automatically.
Use what you feel most comfortable is but don’t conflate ease of use with lack of security. Like all experts, I don’t trust closed source encryption software although Brian may disagree.
BrianShaun, I wasn’t giving a personal recommendation of BCArchive and I wouldn’t want to because there’s no way for me to validate what’s going on under the hood as they don’t allow you to review the source code.
It’s Windows 95-era software updated over the years but it’s never been recommended by ‘crypto gurus’. Some of the algorithms appear extremely secure but the implementation is where software most frequently fails so the most secure encryption can turn out to be extraordinarily weak if they make a small error. As it can’t be peer reviewed these errors will go undiscovered.
I only suggested it because the other user wanted to ‘feel’ safer by using multiple passwords.
AxCrypt has a relatively large user base, has been around for a number of years and been reviewed by a great many people. It’s frequently updated (majorly important), has a modern UX and it’s quick and easy to encrypt/decrypt files without all of this multiple password nonsense. It doesn’t make you any more secure using multiple passwords and gurus like Zimmerman argue that multiple passwords make you insecure even in the examples posited by RaymondLC92.
If a hacker wants your data, he’s going to get it whether it be encrypted or not, sandboxed, air-gapped or energy-gapped. There’s viable attacks against all common methods of ‘protecting’ your information.
Let me correct an common misconception. The government do not use AES-256 for information above Top Secret. True, the NSA don’t recommend AES-128 for Top Secret (only AES-256) but that’s still subject to additional caveats and there’s information far more sensitive which AES-256 is not sufficient for. They know that encryption alone doesn’t keep data safe. The government have their own algorithms developed by leading cryptographers (most of which they employ) and have been subjected to extensive cryptanalysis.
In fact most of the really sensitive data is kept on paper; and typed on daisy wheel typewriters.
I don’t have information anywhere near Top Secret. I have medical records, bank statements, tax returns and so forth and the ease of AxCrypt over the unproven security of some other software means I stick with AxCrypt along with hard drive encryption. I’m not concerned about the one password methodology because I know that if a hacker can get into my system to steal that one password then he’d be able to get at all of my information anyway.
If I make life difficult for myself by having multiple passwords, VMs, sandboxed processes and that level of paranoia then I’m opening myself up to a greater attack surface by the simple fact that:
- I’m using multiple pieces of software (more risk of critical bugs: malicious or otherwise)
- More chance of making a mistake and completely compromising my security
- Using proprietary encryption methods designed to look secure, but aren’t proven
- Having to keep a record of multiple encryption passwords
- Moving data in and out of the VM/sandboxed process
Shaun – if people feel happier using multiple passwords, let them. Experts don’t recommend it and there’s a good reason why – and it’s nothing to do with dumbing things down. As you pointed out, most don’t understand encryption and I can guarantee that they’re making mistakes fatal to their online security.
As a closing note Windows tracks all keyboard input (including passwords) and sends it back to Microsoft even if you’ve got telemetry turned off.
-
AuthorPosts