Encryption

EFS is part of NTFS. I believe XP Home supports NTFS and EFS. Don't know for sure as I only use Pro.

Perhaps, but it's extremely easy to set up an encrypted volume and keep your personal data there. It makes it much easier to keep your data secure in case your PC gets stolen (especially if it's a laptop) or if you need to bring your system in to a computer shop for servicing.

There's a difference between paranoia and good common sense. If you have data that you don't want other people to see, it makes sense to keep it encrypted, even if it's on a PC that you normally control.

I agree that 256-bit AES is overkill for somebody securing their Quicken data file. Some form of encryption, however, is a very good idea to minimize the chance that the data gets accessed by somebody you don't want to access it.

If you're using Quicken on a laptop, and the laptop gets stolen, it's trivial for somebody to open up your data file and know pretty much everything about your financial situation. If you keep your personal data on an encrypted drive (i.e. using TrueCrypt), it's basically impossible for anybody to access that data without your passphrase. Putting the data on an encrypted drive is easy to do, but massively increases the security of the data.

I agree. I wouldn't argue that military-grade security needs to be used. I would, however, argue that some form of encryption be used to protect the data. But if you're going to use encryption, why not use strong encryption? It's not any harder to do.

Bob

Yet another reason to not use XP Home!

Sure, if you wish simply use EFS.

Exactly, and that's why I specifically used the word paranoid.

I have the feeling of Deja Vu - do you?

Sure, if you wish to keep your data in such an insecure thing as a laptop then you should encrypt it. But why go out and get yte another application to maintain when EFS is already available to you (well XP Pro users I guess).

Because it is harder to do in some sense. Indeed any sort of encryption adds complexity. I used EFS for a while then something screwed up and I didn't have a valid copy of my keys. Result was I lost data. Nobody broke into my house nor my computer, etc. yet I incurred a penalty nonetheless.

Why bother using Firefox when Internet Explorer is available to you? Why bother using Word when you can use Wordpad for free with Windows?

The bundled apps that come with Windows aren't always the best tools for the job.

Besides the already mentioned fact that it only works with XP Pro, isn't NTFS encryption tied to one's login/password?

I don't think one can move the encrypted files to another system and decrypt them there under a different login. And if one is part of a domain and some domain admin resets one's password, one won't be able to decrypt the files anymore. With TrueCrypt (and others) there's a different password controlled by you, and files are portable.

Not necessarily bad to use NTFS encryption, just be aware of the above.

-- HASM

Yes I agree. But as I have been trying to point out to you, for this job, not much is required and the standard Windows tools are often more than enough. If you have military grade paranoia well then go for it dude!

Your best bet is to use a 3rd party encryption program for these 3 reasons:

EFS in Windows XP Pro is a per-file only DES and has been broken. Its well known in the encryption community and thus, how to decrypt it is too.

Quicken filenames, locations etc., are well known and thus, easily located [ thus copied] even by ActiveX scripts in websites or worse, trojans.

Intuit has a service to break your password for a fee. This suggests it either has a backdoor or the encryption is not very strong.

An example of a secure mode of installing files see Firefox or Mozilla directory structure and filenames.

Of the encryption programs the only one that has the best encryption is but ONE, Truecrypt. The reason is not only has the latest incarnation of nearly ALL academic ciphers none of which have yet been reported broken, it can be used in anyway the user desires [ so there is no 'model' for a hacker to latch on to to decipher a file and you can multiply wrap each file to your paranoia] and it leaves no 'footprint' for a file to be found as a truecrypt file [ the same way viruses are found with antiviral programs].

For example, you can install TC to use 3 ciphers in your laptop, but only one in your desktop, because the laptop is a less secure device.

"formerprof" wrote in news:M866g.17$ snipped-for-privacy@fe06.lga:

WARNING: If you forget your password, no one has yet been able to decipher it beyond a brute force attack, that is you use a weak password like a word a decryption program will try all combinations of words to break it.

Beware.

Joe John wrote in news:Xns97BC5587C9D7anakngputa@199.45.49.11:

Right. File this under "Be careful what you wish for."

See the post by HASM in this thread. The concerns with EFS aren't relating to its level of security - they relate to the fact that the encryption is tied to your Windows login. If your Windows user account gets hosed or you need to access the encrypted files from a different system, you're out of luck.

That's why you back up your keys. There is a way to recover from the situation that you speak of but yes you need to be careful and think ahead of time.

Any encryption scheme is crackable given enough resources. I've heard that if you lost your keys then you might as well kiss your data goodbye because decrypting it is very difficult. Hell even you seem to contradict yourself in your next post:

WARNING: If you forget your password, no one has yet been able to decipher it beyond a brute force attack, that is you use a weak password like a word a decryption program will try all combinations of words to break it.

Quicken files can be located in different places. For example, mine are not in the standard place. Still this provides little to no security.

The password associated with a Quicken database is a totally separate thing or issue WRT encrypting the files with something like EFS or this TrueCrypt thing.

What?!? It does no such thing! I wrote and posted a simple Perl script to not only find where Firefox or Mozilla store their directory structure (AKA profile) and grep through the address book extracting email addresses. Having a slt component of the path to the profile does nothing, one can easily traverse the users file system once they are code running on the users machine. It's the file system itself that tells you where things are and supplies any missing directory names. Trivial to do and not secure at all!

Right. Again, for most Quicken users this is nothing but overkill, an additional application to install and keep up to date and more complexity with little payback. It's sort of like installing 6 locks on your front door and then only like 3 of them...

Your statement is true, but not very useful. An encryption scheme that would take current high-end computers millions of years to crack is, for all intents and purposes, uncrackable in the forseeable future. There are encryption algorithms that have been shown to be insecure (an example is the old ZIP password protection), and can be cracked using a typical computer in a very short period of time. Something like AES isn't likely to be cracked by a typical computer (or even several thousand typical computers) in any reasonable timeframe, particularly if a strong passphrase is chosen.

Perhaps, but TrueCrypt is pretty darn easy to use, and generally isn't something that needs to be updated regularly. On my system, the only extra complexity is that I periodically need to enter my passphrase to access that data. The payback is that my data is totally secure, even if somebody steals my machine.

Further, the encryption schemes used in TC are designed to NOT be crackable, by any computer. That is the whole field of cryptography, finding an algorithm that resists such attacks. These folks dedicate their careers making and breaking, such algorithms. The over 8?? algorithms in TC have not yet been reported cracked. Even if one is, mixing them together reduces any possibility of deciphering _your_ combination.

Yes, totally secure by what exits in todays technology. Far better than what any 3rd party to date, Microsoft or Quicken provides by default. And, its free.