How Is it Possible to Change a Password Without Re-encrypting an Encrypted Disk?

//
How is it possible that you can change your Windows password without re-encrypting a hard disk that was encrypted using that password?

I’ll assume you mean BitLocker whole-disk encryption, but the concept applies to many different encryption tools. You can often change the password (or passphrase) without needing to re-encrypt whatever it is you’ve encrypted.

The secret is simply this: your password wasn’t used to encrypt the disk.

Something else was.

Read moreHow Is it Possible to Change a Password Without Re-encrypting an Encrypted Disk?

BoxCryptor: Secure Your Data in the Cloud

One of the hidden issues in online storage is privacy. Almost all online storage providers have the ability to examine your data or hand it over to law enforcement even if the provider has encrypted your data.

Hopefully, most of us will never have to deal with the law-enforcement scenario, but even the realization that a rogue employee at an online data storage provider could peek into what we keep online can cause concern. For some, it’s enough concern to avoid using cloud storage at all.

The solution is simple: encrypt the data yourself.

Unfortunately, implementing that “simple” solution isn’t always that simple or transparent, and can add a layer of complexity to online storage some find intimidating.

BoxCryptor is a nicely unobtrusive encryption solution that is free for personal use.

Read moreBoxCryptor: Secure Your Data in the Cloud

Cryptomator: Encryption for Your Cloud Storage

I regularly hear concerns about using cloud storage — the biggest being that online files are at higher risk of compromise should your account or the storage be hacked. There are also concerns that your storage provider could be required to hand over your files to law enforcement agencies under certain circumstances.

Those are all valid concerns.

Cryptomator is a free encryption solution that addresses them.

Read moreCryptomator: Encryption for Your Cloud Storage

How to Best Back Up Your Encrypted Data

I talk about encryption a lot. I talk about backing up even more.

Encryption is a critical component of keeping data safe and secure and out of the hands of those who shouldn’t see it.

Backing up, of course, is our safety net for when things go wrong. A recent backup can save you from almost anything.

Unfortunately, I’d wager that most people are backing up their encrypted data improperly. The result is that they’re not as protected by that backup as they might think they are.

Read moreHow to Best Back Up Your Encrypted Data

How do I secure a hard drive before sending it in for repair?

//
How does one secure a hard drive while sending the computer to a repair facility? I have personal financial information on my hard drive and will just a password provide sufficient protection while the computer is in the shop? After the fact, is there maybe a way to find out if someone has copied the files?

What you’ve presented is actually quite a dilemma.

To answer the second part first: no. There’s simply no way to determine if your files have been copied – at least not in any way that absolutely says they were copied with malicious intent.

The problem is, there’s really no fool-proof solution to your scenario. In fact, I’ve heard of companies occasionally electing not to repair a hard drive, because it meant that sensitive data might be visible to repair technicians.

Your options to secure a hard drive are limited, but if you can plan ahead, there’s a chance.

Read moreHow do I secure a hard drive before sending it in for repair?

Why SSL?

Ask Leo! recently switched to being provided over a secure “https” connection, or SSL.

There’s an assortment of reasons I elected to do this, ranging from my own curiosity to making a statement.

Read moreWhy SSL?

What makes a site secure?

//
Once, I read that secure websites should begin with https. Well, yours just starts with http. I figure it’s safe but apparently missed the distinction between safe and unsafe computer addresses.

“Secure” has a very specific meaning when it comes to the internet. It’s about technology. And you are correct, askleo.com is not a secure website. It is, however, a safe website.

Let’s review what all that means.

Read moreWhat makes a site secure?

If we login to a site securely will our other activities be secure?

//

Hi, Leo, when I logged on to eBay it’s using https. But when I then move off the sign-in page, it’s evidently no longer https; it’s plain old http. If we’re traveling and we use Wi-Fi, will our eBay activities be secure?

Your instincts are right. An http page does not provide a secured connection. This is a very important thing to realize about the difference between http and https. The fact that eBay uses https for the login means that yes; your login at least is protected. That means someone in an open Wi-Fi hotspot, or with some other kind of network access, can’t easily sniff the traffic and determine your eBay login credentials. That’s a good thing.

However the fact that after you log in it switches back to http means that the rest of your activity is not protected by encryption.

Read moreIf we login to a site securely will our other activities be secure?

Can Someone Install Something on My Computer When It’s Not Logged In?

//
Before I raise heck in the house, would you please answer a question? We have several computers in our home. Recently, I have seen “Spy PC 7.0 Quick Start Guide” in the home. I don’t mind if the owner of this booklet uses it on his/her machine, but not on anyone else. Can this be installed on other personal computers (which are usually password locked)?

The short answer is yes, absolutely. I think you’re right to be concerned.

I also think there’s an exceptionally important lesson here for everyone.

Read moreCan Someone Install Something on My Computer When It’s Not Logged In?

Are you ready for your computer to be stolen?

I often talk about computer failures of various sorts and what you should be prepared for: the crash that happens just before you save your document to disk, the failure that renders a disk completely unreadable and unrecoverable, or the computer that dies the true death taking all of your data with it.

You know the drill. Hopefully by now, you’re prepared for that.

But by being prepared for that, you’re actually only ready for one half of a somewhat-related disaster.

What happens when your computer … disappears?

Read moreAre you ready for your computer to be stolen?

What Information Does a Laptop Leak on a Wireless Network?

//

What identifying signatures are given off by my laptop when I’m connected to a wireless network? I’m sure that my WiFi card, hard drive, Windows ID, and other identifying information is broadcast, but what is it? Would I guess that a traffic sniffer would show the make and model of my computer? Or does it go deeper than that?

Actually, it doesn’t go that deep at all. In general, it’s not as much information as you list… as long as you’re doing things right.

Read moreWhat Information Does a Laptop Leak on a Wireless Network?

How does website or VPN encryption work?

//

When I travel and use a site like Hotspot Shield or another service, how does my information get encrypted? Does the site send an encryption key that encrypts my data before it leaves my computer and then decrypts it with a key only it and my computer knows?

I have the same question regarding my “secure” online banking transaction when I’m at home on my secured wireless network. Does the bank send my computer a key to encrypt my data before it leaves my computer to go through my secured wireless LAN? I plan to travel overseas shortly and I’m very concerned about using my computer for sensitive transactions while overseas.

You’re mostly right, but you’re also overlooking an important step in that process. How do you exchange that encryption key securely before the encryption has been set up?

In other words, how do you send someone a password securely if the only thing that they would have to make it secure is knowing that password before they got it?

The problem is that you need to encrypt to exchange data securely, but you can’t encrypt until you’ve exchanged the encryption key. It’s a classic chicken and egg problem.

Let me explain what happens here at a very high level.

Read moreHow does website or VPN encryption work?

How Do I Password-protect a Flash Drive?

//
I want to put all of my websites and passwords in a text file and store them on a flash drive for safekeeping. How do I password protect it?

There are several different ways to do this.

You can purchase flash drives that have built-in password or PIN protection. They tend to be pricey, but they’re almost perfect for this kind of situation.

Frankly, I don’t recommend them. There are other solutions that are more flexible and less costly.

Read moreHow Do I Password-protect a Flash Drive?

Just How Secure Is Email, Anyway?

//

My business requires the emailing of some sensitive information on a regular basis. I have spoken with my boss and co-workers about all of us using an encrypted email system, but no one seems to think there is a significant threat or danger out there to require these extra steps in security. Can you offer any data to help me convince them that this is a good idea?

Actually, I don’t have hard data to say one way or the other. The risk varies too much on too many factors to really present data that’ll apply in any specific situation.

But we can definitely look at some of the specific factors.

Read moreJust How Secure Is Email, Anyway?

TrueCrypt – Free Open Source Industrial Strength Encryption

TrueCrypt comes up frequently in Ask Leo! answers. Many people are concerned about things like privacy, identity and data theft, particularly on computers or on portable devices where they might not always have total physical control of the media.

Someone might gain access to sensitive data stored on your computer.

Encrypting your data renders that access useless, even when your computer or your thumbdrive falls into the wrong hands.

And TrueCrypt makes it not only easy, but nearly un-crackable.

IMPORTANT On September 30, 2015, it was reported that a serious security vulnerability had been discovered in TrueCrypt. Not a fault in its encryption, but rather a more traditional vulnerability that malicious software could use to gain administrative privileges on your Windows machine.

Since TrueCrypt development has halted and no fix is likely forthcoming, I can no longer recommend its use.

My tentative understanding is that VeraCrypt is a free, compatible, and supported alternative, based on a fork of the original TrueCrypt code. And yes, these most recent vulnerabilities are supposedly fixed therein.

IMPORTANT: On May 26th, 2014 TrueCrypt development was abruptly and somewhat mysteriously halted. While I still use and recommend TrueCrypt, please also read Is TrueCrypt Dead? for what happened, and any late-breaking updates.

Read moreTrueCrypt – Free Open Source Industrial Strength Encryption