This topic contains 6 replies, has 2 voices, and was last updated by Chandler 7 years, 7 months ago.
-
AuthorPosts
-
MartinGood afternoon,
It is my understanding that when I change my password, all of the files encrypted with the old password will open automatically, as long as I am “online” with AxCrypt. However, if I am “offline”, then I will be required to enter the old password that a file was encrypted with before it will open. If this is correct, I have a couple of questions.
1. When I have a new password, and I want to permanently decrypt a file that was originally encrypted with the old password, do I need to enter that old password when decrypting the file? For this particular question, let’s assume I am online with AxCrypt servers.
2. Assuming I have a policy to change my password on a monthly basis, (which is a recommended security practice), then should I decrypt all my files before changing the password and then re-encrypt them after changing the password? Otherwise, won’t I end up with hundreds of files that have varying passwords. That would put me into a password nightmare that you were trying to avoid when doing away with the option of allowing different passwords for different files.
Thank you in advance.
Hello Martin,
You’re almost right. When you change the password, all files encrypted with the old password will open automatically. This will work as long as you have been online with AxCrypt at least once with the device in question after the change.
If you’re decrypting on a device that has not been online with AxCrypt at least once, yes, then you can open the file with the original password that was in effect at the time of encryption.
Now to your questions:
1) The same rule applies for permanently decrypting a file. The passwords will work as above. So, if you’ve changed the password and have been online, the new one will work fine.
2) If you do change your password on a monthly basis (which would *not* recommend as a security practice!), you’d wind up with files from a given month opening both the the current password whatever that is ,*and* the password of the month when the file was encrypted. There’s no password nightmare here, since you can open them with the single current password at all times – as long as the device you’re doing it on has been signed in online since the change.
I really think you should consider your password changing strategy, I don’t see it as adding any security. On the contrary, it seems that it would cause a real problem in trying to remember that new password every month, or even worse – you’re using some kind of system to modify your password from month to month. Get a good, long and strong one, and stick with it until you have any kind of reason to suspect that it might be subject to a leak. If this does happen, then you should certainly change your password, and re-encrypt all files that you can. If it does happen, the risk is great though that the attacker has already had access to your files, and copied whatever might be of interest…
PeteMartin, it’s not a recommended practice to change passwords monthly. Many companies impose stupid policies like this in the belief that it’ll increase security: it won’t. You’ll get users who, out of frustration, choose a password like: MartinJAN1 or MartinFEB2. This reduces security!
Do what Svante says; remember a long complicated password and don’t change it unless you have reason to believe it has been compromised.
If you have a bad memory then use a password manager. Having a unique password for every website you visit is a highly recommended practice as even the best of us can’t remember a 25 alphanumeric password with symbols in there too.
Have a read of this:
https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/
SteveI used the old free version (for passwords), and it fit my simple needs perfectly. Login to the site, select view all, and browse through all the thirty or so sites for which I needed passwords saved. Worked
New site: Login, and no browse capability, no accounts visible, just blank. I want access to all my old accounts and passwords. Please respond.
ErikSteve, have you not tried logging onto the old website?
MarcelloHello,
I’ve installed your software and always stayed offline, then immediately realized that I need to change my password. But I can’t find the way.
I haven’t even encrypted any file yet.
According to what I read, I should connect to your website and ask for a key allowing me to reset or change my password. Is that correct?
If this is the case, it leaves me puzzled. I imagine, in fact, that at least as long as I never connect to internet I should be able to change my password without giving any info to the outside, or my security level would lower rather than increase. Am I guessing correct?
And if you still tell me that I have to connect in order to reset my password, will that create any kind of ‘dependency’ between my application and your servers?
Thank you in advance for your answer.
ChandlerI’ve installed your software and always stayed offline, then immediately realized that I need to change my password. But I can’t find the way.
If this is the case, it leaves me puzzled. I imagine, in fact, that at least as long as I never connect to internet I should be able to change my password without giving any info to the outside, or my security level would lower rather than increase. Am I guessing correct?
And if you still tell me that I have to connect in order to reset my password, will that create any kind of ‘dependency’ between my application and your servers?
To change your password you need to do so from within the AxCrypt application – File | Options | Change Password. I’ve put a screenshot below.
You should (it’s highly recommended that you are) be connected to the internet when changing your password. The reason for this is that some AxCrypt users want to share files with friends/colleagues. Changing your password updates the secret key held on the AxCrypt servers. The secret key does not contain your password; it’s there so that AxCrypt knows how to encrypt your file. There’s more information on the password change process here.
I won’t go further into the technical details (they’re confusing for the layman) but they’re here if you want to know more.
If AxCrypt was to suddenly go out of business (the “dependency” you refer to) then you’d still be able to decrypt all of your files. You’d even be able to continue using it to encrypt your files if you really wanted to… although if AxCrypt did go out of business then I’d recommend you look for new encryption software.
If you’ve not understood anything I’ve said above then the only message you need to go away with is that you should make sure you’re online when changing your password as it avoids all sorts of problems. Feel free to disconnect whenever you’ve done it. If you don’t go online then you’ll end up with multiple passwords.
-
AuthorPosts