Flash drive password - security

[toast1]

What's the best way to put a password on a flash drive, USB memory?

I'm using Win10.

 

Used to use WinZip, but heard this is crackable.

Is there a safe security setup?
 

 

Thank you

 

[ctxa]

Everything is technically crackable. 

 

But in many cases, and I believe it is the case of WinZIP encryption... the only possible attack is a BruteForce attack. Which essentially means trying thousands and thousands of different combinations per second til you find the right password. 

 

As you may guess, if the password you used is '123' it may take 1-2 seconds to crack. However if the password is '2823AnBcE34%@' it may take years light for it to be cracked even with a huge amount of computational power! 

 

So your best protection, is to make a brute force attack impractical, how do you do that? With a strong password.

[KeeTua]

If you have Win10 Pro version you can use the built in BitLocker to encrypt the USB drive and it will require a password to access the drive. Or use something like TrueCrypt which is also very effective requiring a password to decrypt the files on the drive.

[fdsa]

Truecrypt is deprecated, use Veracrypt.

[toast1]

Thanks, I'll try Bitlocker, but could not find instructions on how to do this, confusing, can you tell me?

Thanks

 

[JackSinclair]

[KhunBENQ]

On 3/31/2021 at 12:14 PM, fdsa said:

Truecrypt is deprecated, use Veracrypt.

And that is the tool for serious protection.

Make the whole stick a Veracrypt volume.

16 to 20 character password and safe you are.

 

Be aware that at another computer Veracrypt needs to be installed to open the volume.

 

It might be overkill but that depends on type of data to be protected.

 

 

Edited April 5, 2021 by KhunBENQ

[toast1]

OK thanks

 

 

[JackSinclair]

Thought I'd bump this thread hope it's ok ?

Here's a wee update. Something new this month.    www.nordlocker.com 
    
I've been using NordLocker,  3 Gb storage comes free with NordVPN. However you have to pay for 500 Gb storage. 

It does not encrypt a hard drive or a USB drive,  but will encrypt folders on the drive of your choice. 
There is also free cloud storage options. 

I found it easy to use, as I was struggling setting up Veracrypt.

[cmarshall]

Better to store the password safely in the cloud with a password manager like 1password.com.

[fdsa]

38 minutes ago, cmarshall said:

in the cloud

 

how giving your passwords to another person could be considered "safely"? ????‍♂️

[johng]

On 3/31/2021 at 12:14 PM, fdsa said:

Truecrypt is deprecated, use Veracrypt.

 

Was it ever revealed why Truecrypt development stopped ?  rumours where that it had a back door that

"government agents" could use to easily unlock the encrypted data.

 

I would also be a bit suspicious of any "Windows" encryption.

 

maybe use Enigma ?  ????

 

 

[scammed]

i write it down on notepad in a usb when i create a password,

then i unplug the usb and only insert it temporarily

when i need the password, but normally i login with my phone nr

[pseudorabies]

Bitlocker was for me the main selling point for getting Win10-Pro.  I used to keep all of my passwords on a text doc on an encrypted drive (before that writing them down in a notebook) but eventually gave in and have started using 1Password.  I think overall it's more secure for a number of reasons and definitely easier and faster.  Keeping track of scores of passwords between myself and my wife had become a headache.  So far no regrets.

[fdsa]

55 minutes ago, johng said:

Was it ever revealed why Truecrypt development stopped ?  rumours where that it had a back door that

"government agents" could use to easily unlock the encrypted data.

I don't know anything about that.

Some unknown third party has audited the Truecrypt source code and found no backdoors: https://opencryptoaudit.org/

 

 

55 minutes ago, johng said:

I would also be a bit suspicious of any "Windows" encryption.

I would be very suspicious of anything related to cryptography or security without its source code available for the general public. So if you are really security-conscious then you shouldn't use Bitlocker or 1Password.

[johng]

1 hour ago, fdsa said:

Some unknown third party has audited the Truecrypt source code and found no backdoors:

 

Yes  but did find issues

https://opencryptoaudit.org/reports/iSec_Final_Open_Crypto_Audit_Project_TrueCrypt_Security_Assessment.pdf

 

During this engagement, the iSEC team identified eleven (11) issues in the assessed areas.

Most issues were of severity Medium four (4) found) or Low (four (4) found), with an additional

three (3) issues having severity Informational (pertaining to Defense in Depth).

 

Finally, iSEC found no evidence of backdoors or otherwise intentionally malicious code in the assessed areas.

The vulnerabilities described later in this document all appear to be unintetional, introduced as the result of bugs rather than malice

[cmarshall]

3 hours ago, fdsa said:

 

how giving your passwords to another person could be considered "safely"? ????‍♂️

 

Who said anything about "another person?" 

 

Storing your passwords in the 1password.com cloud is safe In the same way that depositing your money in a bank is safe, certainly safer than in the mattress which is what your homegrown method resembles.  What if you lose your device?  Do you back it up every time you update a password?  Where do you keep those backups that is both safe and accessible?  Would it be accessible if you lost your device while you were travelling? 

 

A well-implemented password manager, such as 1password.com, has implemented and tested solutions to all those problems plus others you haven't thought of yet.  Your passwords at 1password.com are stored as encrypted on your computer so neither the tech staff at 1password.com nor some hacker who manages to break into their servers can see your passwords.  Even if a keystroke grabber were to get installed on your pc that captured your 1password.com password, that hacker would still not be able to access your account because of another level of security that he would stop him.

 

And on and on.   Not worth re-inventing the wheel.  1password.com is a good product, but there are others as well, some of which have free versions.

[ukrules]

I use something produced by a company named 'Jetico'

 

They have both volume and container encryption software and I have them both on all my computers

[fdsa]

> What if you lose your device? 

I have backups

 

> Do you back it up every time you update a password? 

yes

 

> Where do you keep those backups that is both safe and accessible? 

on my web server

 

> Would it be accessible if you lost your device while you were travelling?

if I have internet access - yes, if not - will have to wait until I return home to retrieve passwords from another backup device.

 

????

[bendejo]

On 5/8/2021 at 12:28 AM, johng said:

 

Was it ever revealed why Truecrypt development stopped ?

 

There was a deluge of rumors when it happened but none of them made sense.  When the dust settled the only acceptable one (IMO) was that some guys working on it (via source-available) made that declaration, and they had no authority to do so.  Nonetheless, the damage was done and the project became Veracrypt, as someone mentioned above. 

I'm still not sure what this IDRIX (a private French company), the people behind VC, is about, so I'm still using TC 71a.

 

 

[toast1]

Would you recommend a common app like WinZip, that can be paid for, to password protect USB memory drives?

I could upgrade Windows to get Bitlocker, but would that mean I could only unlock this drive on a similar Win10-Pro PC?


Thank you

[KeeTua]

1 hour ago, toast1 said:

Would you recommend a common app like WinZip, that can be paid for, to password protect USB memory drives?

I could upgrade Windows to get Bitlocker, but would that mean I could only unlock this drive on a similar Win10-Pro PC?


Thank you

It’s not worth it to upgrade to Windows 10 Pro just for BitLocker unless you want to encrypt your computer hard drive too, not a bad idea especially for a laptop. Also you would be limited to which computers you could use to open the encrypted files, Pro or Enterprise.

 

I wouldn't pay for a program. I've used TrueCrypt which was pointed out earlier has been replaced by VeraCrypt but still a very similar program. I recommend the portable version. Depending on your level of computer skills there may be a bit of a learning curve.

 

https://www.veracrypt.fr/en/Downloads.html
Download:
"Portable version for Windows 8 and later: VeraCrypt Portable 1.24-Update7.exe (34.3 MB)"

 

Run the VeraCrypt Portable installer and install the files to a folder of your choice. Since its portable it doesn't actually install on your computer, the program will run out of the folder you install the files to.

 

You can trim those files further if you choose. There are only four files totaling around 15MB actually needed for the program to run out of a single folder. Give it a test, create a new folder and copy the following files to the new folder:

VeraCrypt.exe
VeraCrypt Format.exe
veracrypt.sys
veracrypt-x64.sys

 

Now that folder can be copied to your USB drive along with files you want encrypted and you will have the ability to encrypt/decrypt your files on that USB drive from virtually any Windows PC. Everything you need will be in that folder, it doesn't need to install or be copied to another PC it will run off the USB. You can also create encrypted containers with the program and store in the cloud for extra convenience.

 

There's also the 7-Zip free program but I've never used it for password protecting files.
How to Encrypt & Password Protect your Files with 7-Zip
https://7ziphelp.com/password-protect-on-7zip

Official site:
https://www.7-zip.org/

Edited May 12, 2021 by KeeTua

[ukrules]

I already told you what I use, it's not free but doesn't cost the earth either.

 

It's a very professional system and they've been around for more than 20 years, I first used them back in the late 90's.

 

Jetico : https://www.jetico.com/

[toast1]

Great info

 

I can upgrade to Win10 Pro for just $22, buying a license, and get free encryption, so I might do this as its so cheap.

There are some other advantages in Pro as well.

 

thanks

 

Edited May 12, 2021 by toast1