Prev: why do I have to restart my PC?
Next: Problems with "properly" removing thumb drive
From: philo on 12 Nov 2009 08:41
Bennett Haselton wrote:
> In Windows XP you can encrypt a file or folder just by right-clicking
> on it and selecting the Encryption attribute -- no extra password or
> decryption key required -- so I assume the encryption key is derived
> from your logon password somehow.
>
> However, doesn't that mean that if you choose to encrypt a file but
> your logon password is blank (and many people have set their password
> to blank just so they can boot up their computer without entering
> one), then by "encrypting" the file you haven't really encrypted it at
> all? (Well of course you haven't, since anyone could boot up the
> computer and be automatically signed in as you, and access the file
> without ever authenticating themselves.)
>
> I'm writing some articles about tips and tricks for Windows, and one
> of the things I'm saying is that I consider it a user interface bug
> that Windows lets you "encrypt" a file, without giving you a warning
> if your password is blank. I'm just wondering if there is some
> legitimate reason why Windows doesn't warn you about a blank password
> before encrypting, otherwise I would call it a bug.
>
> (I haven't tried under Vista or Windows 7; does anybody know if those
> operating systems warn you if you try to set a file's "encryption"
> attribute and your password is blank?)
>
> Bennett



Though having a log-in password is a reasonable security measure...
it hardly guarantees your data are safe.

To access your data one would simply have to boot up with a live Linux
cd and access to the entire drive would be available in only a matter fo
seconds.

If your data are encrypted, then it's considerably safer...
as the encryption algorithm would have to be decrypted...
which is not so easy...and is certainly going to be very time consuming
From: philo on 12 Nov 2009 14:52
Shenan Stanley wrote:
> Bennett Haselton wrote:
>> In Windows XP you can encrypt a file or folder just by right-clicking
>> on it and selecting the Encryption attribute -- no extra password or
>> decryption key required -- so I assume the encryption key is derived
>> from your logon password somehow.
>>
>> However, doesn't that mean that if you choose to encrypt a file but
>> your logon password is blank (and many people have set their password
>> to blank just so they can boot up their computer without entering
>> one), then by "encrypting" the file you haven't really encrypted it at
>> all? (Well of course you haven't, since anyone could boot up the
>> computer and be automatically signed in as you, and access the file
>> without ever authenticating themselves.)
>>
>> I'm writing some articles about tips and tricks for Windows, and one
>> of the things I'm saying is that I consider it a user interface bug
>> that Windows lets you "encrypt" a file, without giving you a warning
>> if your password is blank. I'm just wondering if there is some
>> legitimate reason why Windows doesn't warn you about a blank password
>> before encrypting, otherwise I would call it a bug.
>>
>> (I haven't tried under Vista or Windows 7; does anybody know if those
>> operating systems warn you if you try to set a file's "encryption"
>> attribute and your password is blank?)
>
> philo wrote:
>> Though having a log-in password is a reasonable security measure...
>> it hardly guarantees your data are safe.
>>
>> To access your data one would simply have to boot up with a live
>> Linux cd and access to the entire drive would be available in only
>> a matter fo seconds.
>>
>> If your data are encrypted, then it's considerably safer...
>> as the encryption algorithm would have to be decrypted...
>> which is not so easy...and is certainly going to be very time
>> consuming
>
> Okay... But here's the point I got out of the post you are responding to.
>
> - Someone can have no password in Windows XP Professional for logging in.
> - That same person can encrypt a file/folder using EFS on the machine.
> - However - with no password, logging in as that person is trivial - a
> literal click of the mouse/pressing ENTER on the keyboard. And once logged
> in - the files they encrypted are automatically decrypted.
>
> In other words... There's no need to hack any passwords, reset them using
> and methods. The password is empty, there is no password.
>
> So while the password may not provide any real protection where physical
> access is concerned - at least with the use of a password someone would have
> to change/hack it to get in (or take ownership of the files/folder or use an
> imaging application to make an accessible image of the disk, etc) - but the
> encrypted files would not be accessible in any timely/easy manner like they
> are if you have no password and I just click on your logon picture, logon as
> you and get to your files - encrypted or not - because I am you as far as
> the computer is concerned - same empty password as you always had. ;-)
>



Thanks for the info...

I guess I did not realize that XP's built-in encryption was so weak...

I think that for better security a 3rd party encryption tool would be better
 | 
Pages: 1
Prev: why do I have to restart my PC?
Next: Problems with "properly" removing thumb drive