Forums › Help & support › Purchase without online account
This topic contains 2 replies, has 3 voices, and was last updated by Svante 5 years, 12 months ago.
-
AuthorPosts
-
DaveI want to purchase an online account but it is not acceptable for me to transmit my password to the AxCrypt servers under any circumstances.
How can I achieve this?
Hello Dave,
AxCrypt has a sophisticated password strength evaluator based on measuring the actual strength of the password. It must also be at least 8 effective characters long.
We evaluate the password by estimating the strength, which is based on how long and complex the password is.
The evaluation entirely disregards parts of the password that is recognized as being among the 1,000 most common passwords, as well as white space.
I suggest you use the ‘show password’ option in both the web and the app, and ensure that what is type is truly identical. This means having the same casing, the same spacing, the same umlauts and accents etc.
You can AxCrypt Password Generator to generate a strong password: https://forum.axcrypt.net/password-generator/
Hello Dave,
To add to what Raja said, which perhaps did not answer your question fully:
At this time, you should probably not be using AxCrypt if you don’t trust our implementation that actually does transmit the password to the server. We are considering using a challenge-response type of sign in mechanism that avoids this – but the problem is…
It’s really all about the trust you put in us. While the theoretical model is certainly “more secure” when the actual password is not transmitted, the practical implications are such that many users will lose the ease of use that AxCrypt has.
Remember that you will be using the password locally – and that’s really the weak part of the chain… Your device is likely used for general purpose browsing and working, including downloading and running softwares from the Internet (such as AxCrypt).
Our server, which you under no circumstances want to send the password to, is a locked down server running only essential software, and with very limited capabilities. We never store the password in reversible form. The additional attack vectors created by this architecture are (simplified):
1 – The transmission over SSL. If that is compromised, you and we all have bigger problems…
2 – Bugs/malicious code in our code. You already trust us by definition by running our code locally.
3 – External attacks targeting our operating environment. Definitively possible, but to actually retrieve a password transmitted requires the attacker to be able to inject arbitrary code in our application environment – without breaking our app. Possible, yes. Likely, no. Requires skill and resources beyond a private enterprise, if successful even then. A government may do so by simply forcing physical access to our server, but even that is unlikely to go unnoticed. It would require a major operation, and we’re somewhat if by no means fully protected by having all our servers physically in Sweden. We do not use cloud servers, or shared servers. Only servers physically owned and operated by us, but located in secure data centers.
AxCrypt is intended to achieve a high level of protection against malicious, private and commercial, attackers. However, governments have other ways to get what they want – and if you’re doing things that are illegal, we’re not your tool. In fact, the terms of use state that you are not allowed AxCrypt for illegal purposes. That being said – a normal criminal investigation will be stumped by AxCrypt encryption. A security or intelligence organization of a major world power, have as mentioned other cheaper and simpler ways at its disposal. Google rubber-hose cryptanalysis for example…
-
AuthorPosts