This topic contains 124 replies, has 2 voices, and was last updated by Jack C. 6 years ago.
-
AuthorPosts
-
Carl WalesI used Axcrypt 1.x lots. But I am very frustrated with version 2.x
I only want to use it offline. I do not want to share/collaborate.
But I also want to use different passwords for different files and or folders.
To me the “improvements” moving to 2.x are intolerable.
I guess I have to find different encryption software.
Hello Carl,
I’m sorry to hear that you’re unhappy with version 2 of AxCrypt. You can in fact use AxCrypt 2 entirely offline if you so wish.
We do not support different passwords for personal use though, as we consider this to be a behavioral security risk. Please see http://www.axcrypt.net/blog/use-of-different-passwords/ .
A lot of thought and effort has gone into making AxCrypt 2 as secure as AxCrypt 1, or more so, and at the same time being even easier to use. We realize this implies some changes in how you use AxCrypt, but we ask you to keep an open mind and really try it out.
We’re also listening to the feedback, and we’ve done a number of modifications based on comments from both new and especially existing users of AxCrypt 1. Among other things we’ve made the new main user interface be less prominent, so use from Windows Explorer is very similar to the old version. We’ve also enabled full offline mode for users who insist. There are many more minor changes made as well as a result of the input we’ve received.
So, please do continue to let us know what you think! We are listening!
However, improvements that we’ve made that affect the actual security of the application we’re much less likely to consider. The “multiple passwords for a single user” is one of them. Sorry!
AxCrypt is an advanced encryption tool for users who just want it to work, without having to take security related decisions themselves such as algorithms and other technical parameters. We simply think that we can make better informed decisions than most of our users, who also in most part do not want even to be confronted with the choice.
AxCrypt is thus an opinionated software. We have an opinion about how it should work, and what is secure and less secure behavior. The “multiple passwords for a single user” is such an issue. Of course, we’re open to reasoning about it, if you find a flaw in our reasoning – do let us know and we’ll discuss it!
GopalakrishnanHi!
I too am unhappy with the new version! I liked the simplicity of the standalone, non-online version which allowed each file to be encrypted with a (potentially) different password. I did read http://www.axcrypt.net/blog/use-of-different-passwords/, and I understand that you guys are experts on what you have discussed there. So I’ll read more on that topic to try and convince myself that it is always better to use one very strong password.
But, there are situations where one would be willing to lose sensitive data (forgetting a distinct, complex password) than have all your eggs in one basket! If the new password in axcrypt 2.0 is stolen, say be a keylogger in a computer, the hacker could access all the files – even files that were once encrypted with a different password that are now re-encrypted to the default new password.
Gopalakrishnan
Hello Gopalakrishnan,
Thanks for your feedback!
We’re grateful for all comments, and we’re working continuously on improving the experience for existing as well as new users.
Hello all,
Just wanted to let you know that we’re listening to exiting version 1 user’s input on version 2. Although we’ve not made everything just like it was, we’ve tried to improve version 2 in various ways to make existing users feel more at home.
Here are some things we’ve done recently up until AxCrypt 2.1.1474 (and later):
– It can run entirely without Internet connection, ever. We don’t recommend it, but you can.
– The “sign in” dialog is more compact and less intrusive.
– The main Window state is remembered, so if you minimize it it will usually stay minimized and never show unless you ask for it.
– The tray icon now actually has some functions, such as sign in / sign out / exit / show main window.
– The Windows Explorer context menu has a “sign out” function.
We *do* still want you to register an email address (but that’s all), and we’re still for now committed to the one-password model for your files. We’ve written a couple of longer discussions about various things that are new in version 2:
http://www.axcrypt.net/blog/use-of-different-passwords/
http://www.axcrypt.net/blog/leaving-computer-axcrypt/
http://www.axcrypt.net/blog/avoid-self-decrypting-files/
If you’ve tried version 2 before as an existing user and have had concerns, why not give it a new try? Download from http://www.axcrypt.net/download/ .
Still have feedback to give? Bring it on! We want to hear from you.
SteveAxcrypt team consider that using differents passwords is a weakness ???!!! From my point of view, your decision is a gigantic fail !! Two scenarios:
– Use a personal passwords for personnal use, use another password for sharing a file
– Use differents passwords for differents types of file, for differents levels of security
You should not to choose for the user.
Axcrypt was my favorite app, but if you don’t restore the possibility to use as many passwords as the user wants, you’ll don’t get my money for premium version…Hello Steve!
Thanks for the feedback, but did have you read the blog post at http://www.axcrypt.net/blog/use-of-different-passwords/ ? It goes into some detail about this issue.
Please understand that we’re not advocating re-use of password in different systems, like different web sites.
We’re saying you should not use different passwords within the same system, in this case AxCrypt. Because it does not add any security, it can only reduce it! The way AxCrypt is made, you can always use the strongest password for all your data. There is absolutely no need for ‘weaker’ passwords, for not-so-secret data (whatever that is).
To share encrypted files with others, you should not be using different passwords either! They are hard to distribute and keep track of. Just use the Key Sharing function in AxCrypt which makes advanced public key based cryptography available to anyone by just entering the recipients email address.
Finally, yes – it’s always been the AxCrypt philosophy to choose for the user! We really think we can do a better job of this then all except an incredibly small minority of users. AxCrypt 1 also makes a lot of choices for the user.
MisutsuI understand.
Bye axcrypt, you was useful in the past, but sometimes things don’t change for the better.
Hello Misutsu,
Thank you for letting us know ;-) Too bad – we really do think the changes are for the better, but change is hard…
Good luck in the future!
Curt WoodardI have to agree with those here. Forcing a single password on users is bad practice.
I’ll get a redownload of Axcrypt 1 and actively tell people to not use Axcrypt 2 due to it’s lack of security. If *ANYONE* finds out your single password, ALL of your data is screwed. That is just plain stupid on so many levels.
When working with multiple clients at multiple security levels, different passwords are a must. While using keys for sharing is an OK practice (like PGP-style public/private keys) it makes it STRONGER, not weaker, to do this with different passwords.
Anyway, requiring us to log in with a registered email address is also rather silly. If you are in a hardened environment and cannot register an email address, you can’t use this tool. Better to use version 1 or to move from Axcrypt enirely.
Since you’re not updating version 1 anymore, you won’t hear anything from me again in the future. I am going to ensure that any and all clients, friends, and relatives stay away from Axcrypt 2 going forward. It’s useless software at this point.
Hello Curt,
Thank you for your feedback, harsh as it is. Also, it’s a bit incorrect in the part about hardened environments.
As always it’s a tradeoff between various goals. In theory, as you say, if you could have unique, 256-bit, strong passwords for each and every file and keep them in your head and nowhere else, yes, that’s better!
But we’re all humans, and AxCrypt is not about theoretical but practical useful security. In this context we’re really convinced that one strong password for all your AxCrypt-encrypted files is way better than many not-so-strong passwords, or avoiding to encrypt some files because it’s so inconvenient to open them. Also, the flip side of encryption-based security is about not losing your data because you forgot one of your passwords to your files. This is not a theoretical scenario. It happens all the time with AxCrypt 1, not so much with AxCrypt 2.
So, you say, but I’ll keep all my AxCrypt file passwords in an encrypted file with a really strong password, or a password manager. Well, I say, that’s just my point… That’s our argument, but one step removed. Don’t get me wrong, I like password managers, they are great! Which is precisely why one good password for AxCrypt-encrypted files makes sense to us.
I think it’s important to correct statements that are incorrect, in this case that we require you to sign in with a registered email address that won’t work in a “hardened” environment. AxCrypt 2 will use an Internet connection if available, but you can install and use AxCrypt without any Internet connection at all. You can also turn it off at any time, by using the option File | Options | Always Offline .
Sorry to see you go as a user, but I think you’re actually missing out on a really useful and good upgrade to something better!
Finally, you’re of course welcome to recommend or advise against any and all software, but do remember that I’m the same person who wrote AxCrypt 1 as well as AxCrypt 2 – and I’ve not become less of knowledgeable about file encryption in the past 15 years. I recommend AxCrypt 2 over AxCrypt 1, because the risk of data loss is lower, and the security provided is equal to or higher than AxCrypt 1.
Sanjay KumarSo many people have tried to explain this to the AxCrypt developers on these forums, so there’s probably not to much point in my posting this, but I’ll try anyway.
First, the link (http://www.axcrypt.net/blog/use-of-different-passwords/) you point users to explaining why using different passwords for yourself is less secure does not even claim that using different passwords is less secure. Security is always a trade off between preventing unauthorized access and permitting authorized access. As your own post explains, multiple passwords does not decrease security, but rather increases inconvenience (e.g., increasing the chance of forgetting a password).
Second, with your 2.0 approach, if you’re password is compromised, 100% of your data is compromised. Your solution is this: make sure it is not compromised. While that is fine in theory, it is simply not applicable to real life security. As AxCrypt 2 relies on a single strong password, the frequent entering of that password increases the odds that it will be compromised (someone looking over your shoulder, key logger, leaving it logged in, etc.). I’m sure you are familiar with compartmentalization of information. If you had highly-sensitive data that was rarely accessed and encrypted with a different password, a user can take numerous precautions to ensure that password is not compromised when that data is accessed (access it only when you are alone, close the blinds, check for key loggers each time, etc.). You are essentially asking users to use that level of caution all the time. Users will either 1) not do so, which will drastically decrease security, or 2) do so, which will drastically decrease access. It is not a question of a “feeling.” It is has a real-life, practical impact on security and/or access.
Since so many users have tried to explain this, at the very least, you could address this more thoroughly in your link. If multiple passwords really decreases security, you could at least explain how. What you have explained is simply how they increase inconvenience. By only stating you wish to increase convenience with a single password, you are implying that the use of only one password does in fact decrease security.
Thanks.
Hi Sanjay!
There’s always a point in making your voice heard. We’ve changed quite a bit of things based on user feedback.
Yes, I could be more clear I guess on why it actually tends to decrease security. I do mention one aspect: Convenience. Iconvenient security solutions are either not used, or worked around. This is well established in many contexts. It’s about practical psychology, not theoretical security. Another aspect is another facet of inconvenience. Invariably, many passwords will be weaker than one strong. It’s just how we’re wired. It’s also the main theory behind single sign on in general, which is fairly well accepted. Yet another aspect is the fact that often the argument is that for less important files, the user is happy with a less secure password. Less secure. This is just faulty logic, since it costs nothing extra to use good security for all files with AxCrypt 2, and by definition it thus reduces security.
I’m afraid I’m totally at odds with your statement “the frequent entering of that password increases the odds that it will be compromised” for a number of reasons. You don’t have to enter it frequently! That’s part of the design! You only enter it *once* per session. To make it convenient. We really believe convenient security solutions increase practical security as opposed to inconvenient theoretically stronger solutions. As for odds increasing, I don’t really see it. Why would the odds of a password leak increase because it’s the same one being entered once, instead of a multitude of passwords being entered all the time?
I’ve updated the blog with a paragraph on why the use of many passwords tends to decrease security. Of course, you may be that one in a thousand who can actually remember a number of 10+ character strong passwords and for what files they are used for. In that case, many passwords won’t be harmful. But it won’t be helpful either.
We’re aiming to provide good, strong, practical easy to use security for the main stream users who do not know anything about cryptography, and don’t want to know anything either. They just want to know that as long as no-one knows their passwords, their files are safe from scrutiny.
We think we do with AxCrypt 2.
All this being said, despite that you may feel we’re not listening, we are. We are constantly evaluating options on how to satisfy as many users as possible while not compromising the overall goals and security of AxCrypt 2. What we’re struggling with is how to provide the option to use different passwords, while not at the same time making it more complex with more options for the majority of users who really like the simplicity of the standard model and while also not encouraging bad security practices.
It’s also a priority thing. Right now we feel mobile apps are more important to get out there, and we’re just starting internal beta testing this week for both iOS and Android!
BobThere seems little point reiterating what others have said here, and in other posts. I just wanted to add my voice to the increasing list of those that have expressed a dislike for the new version. I have removed 2 and reinstalled 1.7 which is by far your best accomplishment in my opinion…. simple, clean, fast.
GTII am also unhappy with version 2 and agree with all the complaints made here so far and add more.
Many like me have used the v1.x for many years because it meets our needs HOW WE LIKE and HOW WE NEED: a practical, simple, objective and FREE.
For this and with this philosophy v1 was created, it achieved its goal and its philosophy was the reason for its success: The author had a personal problem that it’s also the problem of many others in the world and shared as DonationWare Open Soure! It was a success!
The change in v2 philosophy is evident and is the cause of our conflicts of interest, the priority is the generation of financial resources and our needs and desires continue to be met provided they do not conflict with its priority, that is, our desires and need were into the background. It is perfectly understandable that the author does not want to take it publicly and he want to generate financial resources with their work and it is perfectly understandable that v1 users do not like the v2, for lack of a better option, the user only tolerates v2.
Assume a fixed cost (payment) for an indefinite time for something not essential to life as the protection of our files is only good for those who receive. The v2 philosophy it is to make the user a hostage where extracted resources as long as possible, that is why the author needs of the user’s e-mail and ONE PASSWORD. Imagine the difficulty of managing many users with endless passwords each.
Also, charge on v2 free v1 resources generates dissatisfactions.
Also, after encrypting, the file opens without asking password, and the need to click on the submenu “exit” (or logout) for it to return to request password exposes our security and also generates dissatisfactions.
Also, generate history of encrypted files, even if the history is secure and I can erase I do not like it.
The v2 is not for my use, it does not cater me, it does not satisfy me, so does not interest me and as the v1 will no longer support I will use it only to find another SW to replace it. I’m already looking.
I’m sure most will do like me without even bothering to come here to manifest.
Anyway, thanks for v1!
Regards
GTI -
AuthorPosts