Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

BoxCryptor, TrueCrypt, LastPass … Oh My!

Become a Patron of Ask Leo! and go ad-free!

Transcript

Boxcrypter, TrueCrypt, LastPass … Oh, my!

Hey, everyone! Leo Notenboom here for askleo.com.

In the last couple of weeks, we’ve had pieces of news, and I’ve had at least one experience with each of those three pieces of software I just mentioned. TrueCrypt, we heard about its security flaw a couple of weeks ago. LastPass, we just heard a couple of days ago that they’ve been sold to LogMeIn, and then I ran into something that doesn’t portend well for the future of Boxcryptor Classic.

All three of these are software that I’ve recommended, so I wanted to quickly take a few minutes and talk about what the issue is with each of them; why you shouldn’t necessarily panic, of course, but then also what I’m looking into to move forward for each of them, in case we end up needing to make some changes.

TrueCrypt

So, TrueCrypt, you probably heard announced a couple of weeks ago that there had been found a security flaw in TrueCrypt itself. As I understand it, it may only apply to TrueCrypt used in a specific way, meaning whole disk encryption.

It is likely that it’s not a huge deal, but as I understand it, the way it works is that the security flaw in TrueCrypt would allow malware on your machine to gain elevated privileges. In other words, become administrator on your machine, and once malware becomes administrator, they can do all sorts of nasty things.

So, naturally, I mean the good news is that it requires the cooperation or the presence of malware to take advantage of or to exploit that vulnerability in TrueCrypt. The really good news, of course, is that vulnerability has nothing to do with TrueCrypt’s encryption. TrueCrypt’s encryption remains solid. You don’t have to worry about your data being exposed somehow, unless of course, you have malware on your machine. Then with or without this particular vulnerability in TrueCrypt, you know malware could be logging your keystrokes, could be reading your data, doing whatever.

But it has got us thinking a little bit, because as we know, about a year ago now, TrueCrypt was unceremoniously dropped by its developer with some very vague notes that had everybody kind of freaking out at the time. There was an actual security audit performed on TrueCrypt. It clearly focused more on TrueCrypt’s encryption as compared to its interaction with the system but (which is where the vulnerability was found so that the encryption was fine), but the fact is some things slipped through.

Those kinds of vulnerabilities slipped through, which, and again, not to really be too concerned about it, I mean this is really complex software. That’s why we keep finding vulnerabilities all of the time everywhere. The systems we have today are incredibly complex. All software has bugs; it really does.

So I’m not concerned that this means anything about the quality of TrueCrypt, and as we’ve said, it has nothing to do with the encryption of TrueCrypt, but without formal support for TrueCrypt, in other words, this bug isn’t going to get fixed, because TrueCrypt development has stopped, we need to start thinking about what are the alternatives.

Now, it has been a year since TrueCrypt support was dropped. In that time, I had an opportunity to notice who were the “up and comers”, who are the suitable replacements for TrueCrypt. The one that’s coming to mind, the one that seems to be relatively solid is one called VeraCrypt.

I may refer to it as “Veera” Crypt because my first Corgi’s name was Vera so it’s really hard for me not to say that but VeraCrypt was developed from a snapshot from the TrueCrypt source code at that time TrueCrypt development stopped. It is TrueCrypt plus further development.

They have fixed this particular flaw, for example and apparently a few other things as well. I’ve tried it; I’ve played with it. If you are familiar at all with TrueCrypt then VeraCrypt will look really familiar, because it’s the same code; it is the same stuff; the dialogs look the same and so forth.

The one thing where it kind of fell down for me is that they supposedly won’t be able to open up and manage existing TrueCrypt volumes. It didn’t work for me. My volumes may be too old. But in all honesty, that’s probably not the way I’d recommend you switch to it any way if, indeed, you switch to it at all.

If you’re going to switch encryption technology, I strongly recommend that you build a new volume or you re-encrypt using VeraCrypt and then copy your data over onto a VeraCrypt volume or a VeraCrypt drive. So, VeraCrypt is out there. VeraCrypt is something that I’m looking at. I’ve been playing with it a little bit as a potential replacement for TrueCrypt given that A) There have been vulnerabilities found, and we know that they’re not going to get fixed in TrueCrypt.

LastPass

So, what we’ve heard a couple of days ago now is that LastPass has been sold to LogMeIn. Now, I want to be really clear: That may be totally fine. There may never, ever be an issue with that sale.

However, I actually have a fairly bad taste in my mouth from LogMeIn and the reason that is because some years ago, I used to recommend a piece of software called Hamachi. Hamachi was a personal VPN. You could install it on half a dozen computers and they would all be on this little private network that could basically span the planet.

It was simple; it was cool; it just really worked, and I used it a lot. LogMeIn bought them, and you’ll notice that the product is actually fairly hidden these days. The product that they have, if I understand the offering correctly, what used to be Hamachi is now a couple of tiers. What used to be free, if you want that same functionality, you now have to pay a subscription. It’s just that a lot of what they did with Hamachi is not what I wanted for myself and not what I wanted, well, for you, for the folks that I recommend software to.

So, they kind of annoyed with that, and to be clear, it’s absolutely, their right, they purchased Hamachi, the guy who made Hamachi made some money off of it – more power to him. I’m glad he was able to profit from his work, but the fact is they turned it into something that is not something that I feel like I want to recommend anymore.

Naturally, I’m concerned about LastPass. LastPass is free. You get a ton of stuff with the free version. Even the Premium Version where you pay a buck a month or $12/yr, I mean that’s nothing for what you’re getting out of LastPass, and that’s one of the reasons that I’ve been recommending it and talking about it and using it myself for years now.

So, I’m concerned as you might expect. I mean there’s this experience where they’ve done something to some software that I really enjoyed, and I’m hoping that they don’t do the same. I’m not saying that they’re going to; I’m really not, and I wouldn’t expect them to say anything about that now, anyway. I don’t know what their plans are; I don’t know that they are ready to announce what their plans are.

They may have other reasons for wanting to purchase LastPass – that’s great. I hope that they support it the way it is for years into the future. But, because LastPass is such an important piece of technology, because it’s such an important part of what I recommend to people and because it’s such an important part of just how I run my day-to-day, I feel like I need to have an alternative prepared, and what I’ve been looking at is something called DashLane.

Now, I want to explain why DashLane. In fact, what that really means is I need to explain a little bit about why LastPass to begin with. LastPass uses something that they refer to or that others have referred to as “zero knowledge”. What that really means is that they never see your master password. They don’t get it; it never goes across the wire; it never goes on to their server.

What happens is all of the encryption and decryption happens on your device – your computer, your mobile device, whatever. So what that means is a couple of really cool things. One is, even if LastPass were hacked, and I don’t necessarily mean this stuff that happened a few months ago. Those weren’t real hacks; that was totally a non-issue but let’s assume the worst, right? If all of the data at LastPass somehow got exposed, it’s all encrypted; it’s all encrypted really, really well, and your master password isn’t part of it.

If you’ve got a strong master password on your data, then even hacking the data is totally useless to people that get it. That’s what I like. That’s a security model I like. It also means that the folks at LastPass can’t access your data because they don’t have the master password. They don’t have the key to open the door that gets them in.

And speaking of doors, that also means that they can’t give the information to someone else who might ask it. If there’s a government agency that comes along or somebody else that threatens them or whatever, they literally don’t have the technology to provide anything other than the encrypted data. That’s awesome; that’s great security; that’s one of the reasons that I chose LastPass a while back.

DashLane, apparently does the same thing. They use the same zero knowledge technique where they never see your master password. One quick way to tell if that’s what the situation is, one side effect of them not having your master password is that they can’t help you if you lose yours. If you lose your master password, your data is gone, that’s it. There’s no recovery.

It’s one of the reasons that I back up my LastPass database regularly just because if something happens. And you should be doing that too, by the way.

Because they’re using that same security model, that’s got me looking at DashLane as a potential, I’m not even going to say “alternative” to LastPass yet, but what I’m going to say is an additional recommendation or as an additional tool to use like LastPass. I’m still in evaluation mode; I’m still kind of looking at it, playing with it. I have it installed on my machines but right now, that’s kind of the direction I’m heading in.

Boxcryptor

So, I’ve been recommending Boxcryptor Classic for a long time. Boxcryptor Classic is a great way to keep files encrypted in Cloud storage at the file level, so you’re not uploading massive TrueCrypt databases; you’re uploading individual files; you’re transferring individually encrypted files. That’s what it was designed for; that’s what it does a really good job on.

It too, supports this zero knowledge approach to your master password. If you lose your master password to your Boxcryptor collection, you’re done. All that data remains encrypted, and you can’t get it. The hackers can’t get it. The service providers can’t get it, and Boxcryptor can’t get, it because they don’t know your master password.

That’s security that I like.

Boxcryptor Classic is not going to support the next version of the Mac OS – El Capitan, and I say that – there will be a read only version, so you’ll be able to read your Boxcryptor, but you won’t be able to write your Boxcryptor data using El Capitan, using Boxcryptor Classic on El Capitan.

That’s not a big issue for most people. I’m sure most of you aren’t yet running El Capitan. Most of you are running Windows; everything’s fine, but what it tells me is that the Boxcryptor folks are really not that interested in supporting the classic version of their product. The 1.0 version of their product. If there are problems; if there are compatibility issues in the future, clearly they’re going to say, no, we’re not going to do it. You should be using our 2.0 product.

Now, the reason that I haven’t immediately jumped on their 2.0 product is because it required a Boxcryptor account; you actually have to create yourself an account with Boxcryptor.

I inferred from that that it meant they also had your master password. Apparently, they do not. Boxcryptor 2.0 still uses this zero knowledge technology or terminology or concept to manage your data, so that once again, your password never leaves your machine. Your master password to your Boxcryptor data, even in Boxcryptor 2.0 doesn’t leave your machine. If you lose it, they can’t recover your data but it also means they can’t see your data; they can’t give your data to anybody. They just can’t. Their technology isn’t set up that way.

So, I’m looking into Boxcryptor 2.0. I’ve got that installed on couple of my machines and am playing around with it, and I’m hopeful that it may be a reasonable alternative or a reasonable addition for those folks that are running into issues maybe with El Capitan right now, but in the future, when there are support issues with Boxcryptor Classic.

The other change, I believe, is that it’s a little bit more expensive. You are paying a certain amount, I think per year, for the 2.0 product as opposed to the classic product, which there were different licenses but for the most part, it all just worked.

That’s another difference that you may encounter with Boxcryptor 2.0, but nonetheless, that’s what I’m looking at when I’m looking at Boxcryptor. I did look for other alternatives that tried to do what Boxcryptor does and on as many as platforms as Boxcrypter does it. I’m not finding that many. I’m not finding any that really, really met the need.

So that’s where I’m at. I’m still looking at Boxcryptor 2.0 as an alternative or an addition to Boxcryptor Classic.

Bottom Line

So, bottom line on all of these is that you don’t need to panic. There’s no need for any panic here at all. Don’t make any rash judgments. Don’t make any rash switches. I’m not yet changing my recommendations.

I haven’t changed; the only thing I’ve done is I’ve put that one warning up on my TrueCrypt recommendation just because there’s a vulnerability that’s not going to get fixed, but especially on the other two. These are things to be aware of but now when you hear about them you’ll know, okay, it’s not yet that big a deal and that there are some potentially viable alternatives out there that I’m still looking into.

So, with that in mind, I would love to hear from you if you’ve had experience with any of these tools that I’ve mentioned be it VeraCrypt or Boxcryptor 2.0 or DashLane, let me know. I’d love to hear if there are holes in my thinking right now or if there are better alternatives. I’ve kind of sort of come up dry on all three fronts. These seem to be the ones, but like I said, you probably have a lot more time to play with a lot of this stuff than I do, so I’d love to hear if you’re already doing some of these things. Let me know how it’s turning out. Let me know what’s good, what’s bad, what concerns you about some of these tools, if in fact, you’ve used them, if in fact, you’ve heard good or bad stories about them.

So, as always, by now, you certainly know the drill. If you’re anywhere but on askleo.com here’s the URL to go visit this video on askleo.com. Leave your comments there. Let me know what you think about things. I hope you appreciate this little quick video. It turned out to be a little bit longer than I expected that I’m sort of shooting in here as an additional video this week. I figured it was a quicker way to get this information out to you in a way that would help as many of you as possible in the timeframe that we’re talking about here.

So, at any rate, I will see you again next week. Thanks again for watching. I hope this has been helpful. Take care, everyone.

58 comments on “BoxCryptor, TrueCrypt, LastPass … Oh My!”

  1. Hi Leo, thanks for addressing the LastPass issue. I frankly think that it’s going the way of a much higher priced product.
    I also have a DashLane account (not currently using – even though I paid for it). I tried it and it was just so much more invasive in everything I did online…kept having to address a box popup asking if I want to save this site or this info or whatever, and if the page displayed any kind of form, oh brother! Makes browsing the web a real annoyance!

    So, kind of in a quandary. I’ll wait and see what happens to LastPass, if anything. DashLane did not endear me to them and it really would not be my next choice.

  2. Great video, Leo, thanks for the heads-up. But, “I want to replace the frustration you feel with the amazement and wonder I feel every day.” Really? How smug and annoying is that? Everyone experiences frustration, it is just part of the human condition, and anyone who says they don’t is a liar. You’ve gotten along so far without trite and meaningless folk wisdom, please, please continue to do so.

    • I’m sorry that you seem to feel as bitter about things as you do. But the fact is I *do* see the world of technology as amazing and wonderful, and I truly do want more people to feel that same way. I’m not saying you (or I) should never feel frustrated, but I want to help move past it when you do.

  3. Hi Leo i to think LastPass is going to go the way of a higher priced product i don’t care for LogMeIN company at all, i don’t trust them and never will, i get Norton free from comcast so i just switched all my lastpass stuff over to my norton identity safe, i know i know Norton, but it was free and it works,and they say they don’t have your master password at all as well, they say if you lose it you’re out of luck, so i feel somewhat safe. I also very much appreciate your take on TrueCrypt as well ,and will look at your other suggestion on this, as i been looking for a alternative for a while. Thanks again for touching on all this we all really appreciate it.

  4. I was a little surprised by Leo’s negative comments regarding LogMeIn and Hamachi. As an IT consultant I use LogMeIn to support my clients, and FWIW, so does Microsoft Office365 support. LogMeIn remote control used to be free and I was disappointed when I had to start paying for it, but it’s well worth the cost for what I do with it. Now the price does keep going up, but they’re adding useful features. Several of my clients also use Hamachi VPN with good results; some use the free version (up to 5 computers) and some paid (up to 32 computers for less than $30/year!) But I agree, wait and see after any acquisition. I hope they improve the product without raising the price too much. (That also applies to VMware and EMC being acquired by Dell, by the way.)

    • I’m inclined to agree: there’s really nothing wrong with LogMeIn products or LogMeIn as a company. That said, have you looked at TeamViewer as an alternative?

  5. I think it is at least worth mentioning that the statement “the data is totally useless to people that get it” is only true if the data can’t be decrypted.

    Those who use cloud storage should always be mindful of the trade-offs involved.

  6. Hi Leo, interesting analysis of above programs. I used Truecrypt and have now swung over to Veracrypt, which recognised my Truecrypt volume ok. I use Lastpass and like it very much. Have had no problems with it at all. I have just downloaded Dashlane, to try it, and ran into a problem immediately. It installed then I got a message that it has been blocked by group policy, and it will not run!! Don’t know what it’s doing but Lastpass installed with no problems for me. I’m going to uninstall Dashlane until I find out why I got the group policy message. I’m running Win 7 Ultimate 64 bit by the way.

    • Dave: have you, perchance, installed a tool called CryptoPrevent? This tool “artificially implants group policy objects into the registry in order to block certain executables in certain locations from running.” One of the blocked locations is the %appdata% folder which is used by numerous programs, including Dashlane. If this is what’s happened, the solution would be either to look at CryptoPrevent’s whitelisting options or remove the tool completely.

  7. Leo;
    I noticed that you are focused on security when discussing password managers. OK, that is their primary function.
    However, any password remembering software is useful for folks (like my 93-year-old mother-in-law) who have trouble remembering things. Security is not really an issue for her. She has nothing of import on her computer. Anyone who hacked in could only see some really cute cat videos. But, the passwords enable her be online.
    -Steve

    • “Security is not really an issue for her. She has nothing of import on her computer.” – There’s no way I could agree with that. Security is an issue for ANYONE online. Most people think they have nothing important … until something happens, and they realize they were wrong. Even if there were nothing important, how would she feel if her accounts were hacked and someone began impersonating her to her contacts?

      It’s a sad reality, but everyone needs to take security seriously.

      • “There’s no way I could agree with that. Security is an issue for ANYONE online.” – I agree 100%. I’ve never encountered a computer – and I’ve worked with them for more years than you can shake a stick at – that didn’t contain personal/account information that could potentially be misused if someone were to gain access to it.

      • A recent comment from Edward Snowden applies, “Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.”

  8. It will be a real pity if LastPass gets ruined. I have the premium version and am happy to pay the $12 per annum. The service has always been helpful and prompt – even on the free version. I did look at DashLane when it first came out. But I could not see why I should pay $39per annum for something that LastPass was charging only $12 for. Let’s hope that our fears are groundless. Leo, please keep an eye on things for us!

  9. Hi Leo,

    Thank you for your informative video, and as a TrueCrypt user, thank you for monitoring the alternatives on our behalf.

    Whatever system of encryption is used, it is only as secure as the password. For TrueCrypt I use a 64 character password generated by RoboForm, but again, RoboForm is only as strong as its Master Password. This has to be as strong as possible, but also memorable. The method I use is to create a sentence that only makes sense to me. It could be something like “My dog is a black Labrador! 2005”. This is easily remembered and the addition of a character and a meaningful date, together with the spaces, makes it virtually unbreakable by a brute force attack.

    Kind Regards,
    John Wafford

  10. KeePass. When I was first looking for a password manager, KeePass and LastPass were the two main ones that kept appearing over and over – I selected KeePass, and I love it! It is free, open-source and cross-platform (you need mono on Linux); you can install it if you choose, but I always use the portable version. I can’t imagine ever using anything else.

    • Yes, I also use KeePass but I do use the installed (not portable) version and I use KeePass2Android (Croco Apps). I’ve read (and attempted to understand) some very arcane and esoteric articles on its actual security. What appear to be differences of opinion have brought me to the conclusion that I’m good to go with it. I sync across Dropbox and no, Dropbox does not have any access to the master password or to the master file in an unencrypted state at any time. Still, I’d love to have Leo’s opinion of KeePass 2.30. Please?

  11. Following your comments I tried VeraCrypt, though keeping a True crypt backup. It was remarkably similar to True crypt. As in True crypt I set up a 1Gb container to hold my confidential files. The only difference I could see that seemed significant was that Vera crypt took a lot longer to mount the container – up to a couple of minutes. This is an inconvenience rather than a major negative but nevertheless True crypt is slicker. Once the container was mounted there was no significant slowing in the use of the files, (just like True crypt).
    Anyone familiar with True crypt could set up a Vera Crypt container without reading any instructions. So far the only disadvantage I have discovered is the speed of mounting. It is early days but I shall keep my True crypt programme for the time being, Leo having indicated that the so called problem does not effect containers which is all I use.

    • I used to, and in fact still have an article on it. Two concerns with it: 1) I don’t believe they use the “zero knowledge” approach – meaning that they may have your master password in a form that they could retrieve (I’d love to be wrong about this, but it’s a proprietary system and last I heard they hadn’t claimed one way or the other), and 2) they make it incredibly difficult to export your database. Other than that, it’s fine.

      • Actually, it looks like they do. I just looked at the FAQ page, and one of the questions is about losing the master password. The answer is that you can’t recover it. It looks like they have it set up “zero knowledge”, too.

        Yeah, it looks like it would be difficult to export and import other databases to RoboForm; however, I use it and love it.

        (For all students currently enrolled in college, you can sign up for RoboForm for free. You just need a school e-mail address, and you’ll have to provide it each year.)

      • I use RoboForm and I like it. I store my RoboForm data *locally* on my PC in a TrueCrypt volume.

        I would never use a PC at a hotel or the library or anywhere to access any of my important accounts (e.g. bank) so I do not need for my passwords and security questions to stored anywhere but here at home.

  12. +1 for Dashlane. I switched to it from LastPass ~2 years ago. It’s a nice well-designed app that does everything LastPass does but, IMO, is a little easier on the eye and slightly more user-friendly.

    I’m actually surprised that neither Microsoft or Apple of have come out with a solid, no-cost password manager yet. It could help lock people into their ecosystems. At the moment, I see absolutely no reason to consider a Windows Phone, but maybe that would change if it could automatically and seamlessly sync passwords with my desktop for free.

  13. Hey Leo, have you checked out Cloudfogger? It doesn’t support as many platforms and cloud services as Boxcryptor but it has a fair enough showing. It too uses “Zero Knowledge” with AES encrypted RSA keys for de/encryption. I moved to cloudfogger because I wasn’t happy with Boxcyptors platform and have been impressed. Just a thought.

    • I did look at it … they limit the number and types of services you can use. The version I tried was limited to exactly ONE cloud service – unless I signed up for an account, which raised the limit to 5, as I recall.

      Also, it seems to support only specific services – and of course not the one I want. With BoxCryptor you just point it at an arbitrary folder on your machine, regardless of what cloud service – indeed, if any – is managing it.

  14. Dashlane works well for me: thanks to Dashlane I have lots of different passwords with an easy way to find them, change them, store any additional info I want about any website or subscription. I use it more as a data base than a fill-in-the-blanks device, though it’s handy for that too. As for it being invasive, just don’t activate it; hit the X to make it lie down & be good. Even inactive It’s TSR so does slow the old PC a bit, but I find it’s definitely worth the security & convenience. And in a crunch you can change all your [major] passwords at once.

  15. When talking about password managers, RoboForm is seldom mentioned. I have been using RoboForm for years and love it. Have you ever looked at RoboForm? If so, is there anything wrong with it that I am unaware of? If you haven’t looked at it, please consider doing so. I would value your opinion. TIA

    • I mentioned it in a previous comment. I used to recommend Roboform, and indeed if you search Ask Leo! you’ll find my article still doing so. It’s a fine product, but I switched to LastPass for two reasons: A) Roboform does not claim “zero knowledge”, and has not been audited, so my assumption is that they DO know your master password, and could gain access to your information if they needed/wanted to (would love to be wrong about that), and B) they make it nearly impossible to export your data in a usable format. I really dislike the attempted “lock-in”.

  16. Password Managers:
    Originally I was using a paid version of RoboForm from before I heard of LastPass (through Ask Leo!). On Leo’s recommendation I tried LastPass for evaluation – and continued using it (along with RoboForm). Then I heard about Dashlane a couple of years ago and decided to try that as well, and have continued using it also. So I have three password managers that I keep up to date.

    For logging in to websites I prefer Dashlane – not sure why, but it just seems to run more smoothly. Also, it uses an installed application, unlike LastPass which is managed through a browser. The reasons that I keep RoboForm also are: 1) I have already paid for it; and 2) it is the only one of the three that works with installed applications (like TrueCrypt), and not just with websites.

    VeraCrypt:
    I have been using TrueCrypt for about 4-5 years. I don’t have an encrypted disk, just a 10 GB container for personal files. As stated above, I use RoboForm to open up the container, saving me from having to remember a long and complex password and from having to key it in every day.

    When TrueCrypt development was stopped and VeraCrypt was announced as being a continuing development of a TrueCrypt fork, initially I installed it to evaluate. I found that using VeraCrypt I could still access and update my TrueCrypt container without change (provided that I opened VeraCrypt in “TrueCrypt Mode” – a checkbox on the login dialogue). As usual, RoboForm offered to save the login details (as it initially did with TrueCrypt), but when I attempted to save the VeraCrypt login to a RoboForm passcard, it immediately put my PC into a fatal tight loop. The only solution was to cut power to the PC and do a cold boot. This stopped me using VeraCrypt for some time.

    Then just recently, VeraCrypt was upgraded to a new version, so I tried again. And again the same death loop. Was it a problem with VeraCrypt (it works OK with TrueCrypt) or a RoboForm problem?

    I posted the problem to a VeraCrypt forum (no response). I then raised a support ticket with RoboForm and they replied that they could not reproduce the problem, but recommended turning off my antimalware (MSE) and also my nonstop backup (Acronis). I did both and this allowed me to create the RoboForm passcard successfully (no death loop). With MSE and Acronis both reinstated, I can now login with RoboForm passcards to both TrueCrypt and VeraCrypt. (Just mentioned this in case anyone else runs into the death loop problem – there is a solution.)

    Both TrueCrypt and VeraCrypt work equally well with my TrueCrypt container with no incompatibility. As I have now resolved the VeraCrypt login problem, I will probably start using VeraCrypt only in future. (Incidentally, RoboForm even remembers to set VeraCrypt to “TrueCrypt Mode” when I log in.)

    I have never used BoxCryptor, so I can’t comment there.

  17. Hi Leo. On the question of LastPass, I use RoboForm and have doen since before I tried LastPass on your recommendation. Having done so, I still prefer Roboform. It just integtrates better into a browser in my opinion and I found it easier to use. I use their professional version. However, I haven’t heard you mentioning RoboForm as an alternative to LastPass, although I am sure you know of it – any thoughts?

    • I’ve now mentioned it in two previous comments. 🙂 I used to recommend Roboform, and indeed if you search Ask Leo! you’ll find my article still doing so. It’s a fine product, but I switched to LastPass for two reasons: A) Roboform does not claim “zero knowledge”, and has not been audited, so my assumption is that they DO know your master password, and could gain access to your information if they needed/wanted to (would love to be wrong about that), and B) they make it nearly impossible to export your data in a usable format. I really dislike the attempted “lock-in”.

      • from the RoboForm website: ( http://www.roboform.com/password-manager ) near the bottom of the page

        How does RoboForm protect my master password?
        Your Master Password is the one password you’ll need to create and remember as it encrypts and secures all your RoboForm information.
        So how do we protect it? We never know it in the first place! Your Master Password is never stored on our servers and only you know it, so there is no way for it to be hacked or stolen by anyone else. Be sure that you don’t forget it!

        • That’s great news. I used RoboForm for years till I discovered LastPass, and I only switched because of the price. I have LastPass premium for $12 a year. If I do need to switch RoboForm is a bit cleaner to use than LasPass and might be worth it in the future, especially if LastPass raises its prices.

  18. VeraCrypt: I have been using it for about a week. In addition to the long decrypt characteristic it has an option to select or detect the encryption (encryption detection). I haven’t timed the decryption using automatic detection or by selecting the type used upon container setup but I don’t notice a significant time difference. I don’t see a selection for saving this selection and I wonder if it is less secure if I selected the appropriate decryption method and saved it.

    I wonder what response or explanation VeraCrypt has for the longer decrypt time. I’m not saying it is a significant issue. Just curious.

    • https://veracrypt.codeplex.com/wikipage?title=FAQ

      What’s the difference between TrueCrypt and VeraCrypt?
      […]
      As an example, when the system partition is encrypted, TrueCrypt uses PBKDF2-RIPEMD160 with 1000 iterations whereas in VeraCrypt we use 327661. And for standard containers and other partitions, TrueCrypt uses at most 2000 iterations but VeraCrypt uses 655331 for RIPEMD160 and 500000 iterations for SHA-2 and Whirlpool.
      This enhanced security adds some delay only to the opening of encrypted partitions without any performance impact to the application use phase. This is acceptable to the legitimate owner but it makes it much harder for an attacker to gain access to the encrypted data.

  19. TrueCrypt/VeraCrypt/Bitlocker…I’ve come to question whether encryption is really the best option for most folks. Over the years, I’ve encountered numerous instances in which people have, for one reason or another, permanently lost access to their encrypted data and been left gnashing their teeth and wishing they’d never encrypted it to begin with. I’ve also encountered numerous instances in which (usually unencrypted) laptops have been lost or stolen, but not once was the data on those laptops used/misused. I assume this is because the type of person who snatches a laptop from a parked vehicle or coffee shop usually just wants to make a fast buck from the sale of the hardware and has no real interest in the data.

    Encryption programs can be both confusing and intimidating to some people: Lions and PIMs and AES, oh my! I suspect there are a considerable number of people for who encryption would be a recipe for disaster – a category into which my in-laws certainly fall (“Hi Ray, I’ve forgotten my email password again. Yes, I know you’ve told me a hundred times before how to reset it, but I can’t remember what I need to do. Can you help me fix it? Oh, and my Facebook isn’t working either. Can you help me fix that too?”). I really don’t think encryption would be in their best interests.

    If you’re carrying around a laptop that contains trade secrets or other sensitive businesses information, then encryption is a must. But I don’t think it’s something that should recommended to all and sundry, and I’m not even convinced that it’s really the best option for most home users: the risk of people permanently losing access to their encrypted data may well be greater than the risk of a third-party gaining access to their unencrypted data.

    What’s your take, Leo?

  20. What would happen if LogMeIn decided at some point in the future to discontinue LastPass. Would the program continue to work or would we be locked out of all our online accounts? I have dozens of online accounts and that scenario would be a disaster to me, since recovering all those accounts would take a very long time.

  21. Leo sez: “I’d love to hear if you’re already doing some of these things. Let me know how it’s turning out. Let me know what’s good, what’s bad, what concerns you about some of these tools….”

    Well, all right, since you asked….

    I recently learned of a significant design/security flaw in Boxcryptor Classic. When encrypting already-existing files, it DOES NOT securely delete the original unencrypted files. It will “delete” them, but not securely (i.e., by overwriting them with meaningless data). So if you use Boxcryptor to encrypt files that are already on your computer (as opposed to new ones that you’re creating within the Boxcryptor virtual drive), you must use another application (like Recuva, for example) to find and shred those “deleted” files.

    So you have to use a two-step process using a separate third-party application to properly and securely encrypt an already-existing file using Boxcryptor. That’s a shame, because from what I’ve read, it seems like a pretty good encryption application otherwise.

      • Yeah, that’s a simple solution….the only problem with using that tool is if you have a large hard drive with a lot of free space (as I do — currently 744 GB!), then it will take a long time to wipe all that free space. And in my case, the vast majority of that free space is “virgin” — never written to at all, ever. Seems like a waste of time and effort to overwrite hundreds of gigabytes of empty space that has never ever been written on. That’s why I mentioned Recuva, which can wipe just the deleted files that it finds and thereby save a lot of time (at least in my situation).

  22. Leo –

    Hi. Do you know if TrueCrypt is compatible with Windows 10? Since I see no glowing recommendation for its replacement or any new word on its continued development (VeraCrypt notwithstanding), compatibility with TrueCrypt will affect my decision as to how soon I move to Win 10. I use TrueCrypt to encrypt external hard drives and flash drives – not the PC hard drives.

    (I appreciate so much your 2011 article on how to use TrueCrypt. I’ve been a heavy user of it ever since.)

    Thanks…

  23. Could we access our Dashlane account with the same manner as LastPass [LP Free account especially]? Cause I browsed about Dashlane, read their Web App Support page http://support.dashlane.com/hc/en-us/articles/202699231-What-is-the-Web-App-and-what-can-it-do- and from what I get here: Opening account via Dashlane website just provide READ-ONLY MODE, hence we couldn’t store data/change the password etc. via their website like we could do with LastPass (so I assume you could change your data etc. with Dashlane installed program)

    Mostly I access/store data on LastPass via their website/online & I use free account. This LogMeIn-LastPass thing is ‘problem’ since there’s no better free service than LastPass, in my opinion.

  24. I have been using TrueCrypt for some years, and have absolutely no problems with it. There is the potential difficulty of DropBox having to update a large folder when I am done with changes, but I can live with it. The bottom line is that TrueCrypt is reliable.

    I tried AxCrypt on and off. Then recently I ended up encrypting a lot of folders that I did not want to encrypt, including the so-called “Desktop”. Trying to decrypt individual files and folders was just a useless exercise, most of which I had a hard time finding. I had to restore my system to what I saved (Macrium image) from two days before. At that point I gave up on AxCrypt.

    Following your recommendations I tried BoxCryptor. The basic principle is solid. I like the mode of usage. I tried hard to go with it. But there are problems. The basic exit method from the software is by “Exit” or “Sign out”. If using “Sign out”, I need an Internet connection to log in again, otherwise I have no access to my encrypted files. Our recent local storm knocked out my ISP. I had no access to the Internet for half a day. I also could not access my encrypted files until the ISP got things going again. On another computer where I did use Exit rather than “Sign out” so I was able to log in without Internet. But then I got some sass about the free version of BoxCryptor, which I was using to evaluate, supports only two devices. Well, duh … I had only two devices, but when the Internet came back on, I could not log into my main computer because of this two-device restriction. I went to the website to log into my account, and deleted the other device, which left me with only one computer able to access the encrypted files. That is not good. When I travel, I want my laptop computer to access the same data.

    I found out that the login password to my account at their website must be the same as the login for my encrypted files. I don’t know how you feel about that, but it just seems wrong. Password to my personal files should be private, remain on my computer only, and should have nothing to do with my so-called account at the BoxCryptor website.

    The last straw in my travails was this afternoon when I tried to access my encrypted files. The BoxCryptor pop-up window that takes the ID and the password just would not accept what I typed in. I realize that some people do not keep careful records. I do. I had all that in LastPass. So, even copy and paste did not work. Fortunately I did not have any crucial data encrypted at this time, since I was still in the evaluation mode. However, as of now, I have given up on BoxCryptor.

    If anyone out there can tell me what I did wrong, or about my assumption being off, please let me know. As of now I am out of AxCrypt and BoxCryptor, but staying with the tried and TrueCrypt.

    • I know this is about 9 months late, but I would really appreciate Leo responding to the flaw that Imre mentioned with BoxCryptor. If BoxCryptor requires the web account password to be the password you use on the local device app, then the whole business of “zero knowledge” would be untrue and a serious security breach. If they require that password to access the online account that password can be used by BoxCryptor to access your data – and it can be hacked from their server. That’s not security, it’s worse: a false sense of one!

      I’m very curious about the “flaw” Imre seems to have found with AxCrypt because I have been using it (version 1.7.3156) some. While it will encrypt an entire folder of files at once, it doesn’t actually work at folder level (and won’t work at drive level at all). The function only serves for the convenience of not having to encrypt many files one at a time. You can decrypt the entire folder in one stroke also (again, not the folder, just the files inside). For that reason you would never want to do that with a cloud storage folder because upon decrypting that batch of files your cloud storage service such as Dropbox would immediately back up all the unencrypted files! So it’s not as simple and “easy” as BoxCryptor, but it DOES work on a “zero knowledge” basis. I can’t understand what Imre must have done to cause her problem. I know you can also rename files with AxCrypt (which was probably at the heart of her not being able to find them?) but I don’t understand why she found decrypting them “a useless exercise”. Since I’ve begun relying on it more, I would love to hear of potential flaws.

      Also, I use KeePass for password manager. It seems bulletproof. I store the database file on a cloud drive and have the app on Win 7 and an Android phone. It too is “zero knowledge”. There is no web account, no monthly fee. I did donate to the developer!
      Again, I would love for Leo to look at these apps and tell us what he sees.
      Thank you.

      • BoxCryptor: That’s not how passwords work. They don’t store your password to match it when you type your password in. They store a cryptographic hash of your password. What that means is that they can tell if you entered the correct password, but don’t store what that password is. Thus your master password cannot be hacked from their server.

        I don’t have anything to add on the AxCrypt – I’m not understanding exactly what happened.

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Typically that's off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.