SAbboushi
asked on
How safe is XP Pro encryption?
I use XP Pro encryption. I understand that it is near impossible to crack the encryption (would take decades with today's supercomputers). Does anyone disagree and can provide credible links to support such a claim?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
M$ has also noted the "admin reset" for a non-domain pc can allow EFS data to be compromised:
http://www.microsoft.com/technet/archive/security/news/efs.mspx (still applies to XP/2003)
-rich
http://www.microsoft.com/technet/archive/security/news/efs.mspx (still applies to XP/2003)
-rich
Using NTLMv2 is the recommended setting. Also, using a PW that is 15 characters or more prevents the effectiveness of rainbow tables. Another thing you can incorporate into the PW to make it stronger is using one or more ALT characters (holding down ALT and typing in a three digit number in the num pad).
If your really worried about this data, you need to physically secure it also. That means preventing people from getting to the device that it is stored on.
Another thing you can use is PGP or GPG. GPG is the completely free version.
Here's info about it:
http://aplawrence.com/Basics/gpg.html
Here's the GPG site:
http://www.gnupg.org/(en)/index.html
If you want to have more fun with encryption, you can use some Stego. People can see encrypted files from a mile away. It's like having a big safe in your living room. They know you must have something of value in there. With stego, you can hide files within another file & use encryption. Now you've taken the safe and put it into the wall and hung a picture in front of it. People would really have to look for it. Just make sure the files that are masking your info fit your profile. They have to look like something you should have.
No matter how secure it is electronically, you still need to secure it physically.
If your really worried about this data, you need to physically secure it also. That means preventing people from getting to the device that it is stored on.
Another thing you can use is PGP or GPG. GPG is the completely free version.
Here's info about it:
http://aplawrence.com/Basics/gpg.html
Here's the GPG site:
http://www.gnupg.org/(en)/index.html
If you want to have more fun with encryption, you can use some Stego. People can see encrypted files from a mile away. It's like having a big safe in your living room. They know you must have something of value in there. With stego, you can hide files within another file & use encryption. Now you've taken the safe and put it into the wall and hung a picture in front of it. People would really have to look for it. Just make sure the files that are masking your info fit your profile. They have to look like something you should have.
No matter how secure it is electronically, you still need to secure it physically.
NTLMv2 doesn't help with physical access, the only hashs stored in the SAM is NTLM and LM. The author has turned off LM cacheing. Alt codes really do help keeping a pass from being bruteforced, but with physical access the hacker is going to reset the pass anyway and not have to try BF. There are also several compatibility issues with alt codes, you can't send them over HTTP, such as when using VNC via through a browser, or when trying to logon to Outlook/Excahgne OWA sites. Physically secureing the encryption key's is very effective. Keeping them on the PC is like sticking an extra house key under the door mat, it's there for anyone to retrieve. The encryption keys should be exported, backed up, and kept secure.
PGP/GPG are great, as are programs like TrueCrypt and Steganos Security Suite, the latter two are using stegnography to hide the data archives go give you the added benefit of plausible deniability.
To answer the authors question, EFS can be secure, but it takes more work than other products need right out of the box.
-rich
PGP/GPG are great, as are programs like TrueCrypt and Steganos Security Suite, the latter two are using stegnography to hide the data archives go give you the added benefit of plausible deniability.
To answer the authors question, EFS can be secure, but it takes more work than other products need right out of the box.
-rich
If you are looking to protect your data files in the event that the machine is stolen then check out http://www.dekart.com/ they provide a software package that creates a virtual disk drive encrypted using AES encryption that is independent of the OS. As a previous poster pointed out: XP encryption is worthless if the attacker has physical access to the machine. This software will protect the files.
TrueCrypt has similar features to the above. XP's offering can be secured, again it takes more effort than most other offerings.
-rich
-rich
ASKER
Hi guys - thanks for the posts. Sorry I disappeared for awhile - my dad died...
Richrumble and BooneSaysHi - I appreciate the recommendations for other solutions, but that is not what I was looking for.
Richrumble and BooneSaysHi - I appreciate the recommendations for other solutions, but that is not what I was looking for.
ASKER
HKEY_LOCAL_MACHINE\SYSTEM\
and
HKEY_LOCAL_MACHINE\SYSTEM\
Password is 10 characters upper/lower case & symbols