Password VS Passfile

Discussion in 'other security issues & news' started by Wai_Wai, Nov 5, 2006.

Thread Status:
Not open for further replies.
  1. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556
    1)
    I can create long and hard-to-break password.
    I can remember it easily. I don't mind about that.
    In this situation, which one is better/safer - password or passfile?

    2)
    Will it be harder for the hacker to steal my pass if I use passfile to decrypt my files/folders?

    3)
    Exclude the case where the storage device fails.
    How likely will a passfile be corrupt, say when the program access to the passfile, it get corrupted?
    Will it be one of the concerns when I use passfile instead of password?
    If it is corrupted, does it mean I can't get back my data? :(

    4)
    Is it possible to password "passfile" (so even if someone has stolen my passfile, it is still useless without my password on that "passfile")?
    If so, how?

    Thank you.
     
  2. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Hi Wai_Wai,

    I recently read an article about Authentication (determining if you are really you).
    The main point was that authentication comes down to:
    What you are (fingerprints, retinal eye patterns, and other biometrics)
    What you know (passwords, passphrases)
    What you have (keyfiles, security tokens, smartcards, etc.)
    Or a combination of two or all three.

    Keyfile(s) (which is what I think you mean by passfile) can help against keyloggers.
    But anyone who steals the keyfile can pretend to be you.
    Require a password and a keyfile and you have two factor authentication.
    It depends what level of security you want and how much you are willing to compromise convenience.
    Use a keyfile and password and you can use a shorter password and still have strong protection.

    Yes. Most keyloggers that I've heard of aren't behavior based looking for what files are being accessed at a given time. Of course, if the hacker is sitting there on the compromised computer watching what you are doing, they can see the keyfile too!
    Encryption (of files) won't protect you from hackers that compromised your computer, it protects from physical theft.
    Encryption may slow hackers from getting the data from your compromised computer. But if they are determined enough, they can keylog your password and get your keyfile as well.

    Always keep a backup of your keyfiles in a safe place.
    Power outages, spikes, surges happen. Also with USB devices and some file systems, it is safer to use the system tray "Safely Remove Hardware" before you remove the device.
    Regular use is not going to cause a corruption problem.

    Yes it is possible but unecessary if you use two factor authentication.
    Let them steal the keyfile. If they don't have the password, the encrypted data is useless to them.

    As for password protecting the keyfile there are two ways:
    1. GnuPG can encrypt files using your private key. This private key is encrypted and protected by a password.
    I like TrueCrypt and AxCrypt better for encrypting files though.
    2. You could store the keyfiles in an encrypted container protected by a password.
    But this method causes extra work for you and no additional security over two factor authentication (password + keyfile).
     
  3. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556
    Hello, Devinco!


    Some banks and financial companies are using additional authentication which will not be affected by a computer.If the login requires security tokens + password, it effectively stop both keylogging and physical theft. It seems to be the ultimate solution to these sorts of problems. Unfortunately not every financial company does it. Some still rely on passwords only which is very unsafe.

    Yes, that is what I mean.

    Depending on the importance, but most of the time I would go for the third option - Use a keyfile and short password.


    [quoqte]Yes. Most keyloggers that I've heard of aren't behavior based looking for what files are being accessed at a given time. Of course, if the hacker is sitting there on the compromised computer watching what you are doing, they can see the keyfile too!
    Encryption (of files) won't protect you from hackers that compromised your computer, it protects from physical theft.
    Encryption may slow hackers from getting the data from your compromised computer. But if they are determined enough, they can keylog your password and get your keyfile as well.[/quote]




    Oh my bad.
    I wrongly thought it is EITHER password OR keyfile.
    I miss out the BOTH-AND option.

    Regarding TrueCrypt and AxCrypt, would they be able to encrypt or hide existing folders/files (eg My Documents)?
     
  4. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    For Encrypting a whole folder worth of data, I would use TrueCrypt.

    AxCrypt excels at individual file encryption, but when you encrypt a whole folder, it individually encrypts each file. So your My Documents will still be there with all the filenames visible, but all the individual files will be encrypted and decrypted as you open each file.
    It works, but it is not as convenient as TrueCrypt when working with many files.

    With TrueCrypt, you will create an encrypted file container or partition.
    You decrypt this file container or partition by using a password, keyfile, or both.
    The decrypted (on the fly in memory) file container or partition is mounted as a new Drive Letter which operates as a normal drive.
    You can store My Documents within that drive.
    When you dismount the drive, the data in My Documents is not accessible until you mount it again.
    You will be able to see that My Documents points to a non existent drive letter, but you won't be able to see the contents.

    It is not truly "hidden," but TrueCrypt also has options for hidden containers which is a container within a container.
    Encrypting hides the contents of data, it does not hide the fact that the data exists.
     
  5. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556
    What if I would like to keep the directory of the folder the same?
    As far as I know, I need to move the contents of the folder to another lcation in order to encrypt it (TrueCrypt).
     
  6. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Then use AxCrypt or your favorite encryption program.
    The My Documents folder will stay where it is on the same drive and only the contents are encrypted.

    Correct. You can move the entire My Documents folder into the mounted drive letter.
    You then point your start menu My Documents shortcut to the new drive letter location. If you want, you can set TrueCrypt to auto mount the drive on boot up. You then type in the passphrase / keyfile and My Documents are accessible in the mounted drive letter.
     
  7. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556
    Wouldn't it defeat the purpose of encryption?
    If you keep mounting the drive all the time, the contents are kept decrypted and can be easily stolen.
     
  8. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    No, because the purpose of encrypting your files and folders is to protect from physical theft.
    Encrypting your files and folders does not protect your data from hackers.
    Once a keylogger is in place, the strongest encryption won't help you.
    Using a keyfile in addition to a password will help here.
    But if a trojan or rootkit is installed and the hacker is monitoring your activities, they can obtain the keyfile and access your data.

    If you use TrueCrypt or AxCrypt, the files and folders are encrypted when you shut down (or dismount) so the data is safe from physical theft.
     
Loading...
Thread Status:
Not open for further replies.