BitLocker™ Drive Encryption

BitLocker™ Drive Encryption

This method is available (only) in Microsoft® Windows™ 7 Ultimate and Windows™ 8 Pro versions (and later).

  1. If you’re on Windows 7, Right Click on ‘My Computer’ and select ‘Manage’. Then, From the opening window, select ‘Disk Management’. If you have windows 8 or later, right click on Windows Logo in desktop and then select ‘Disk Management’.
    fhf-bl-1ifhf-bl-1ii
    fhf-bl-1iii
  2. Select ‘Create VHD’ from the ‘Action’ menu.
    fhf-bl-2
  3. ‘Create and Attach Virtual Hard Disk’ window will open. Give any size you like, (e.g.: 10 GB) and Click browse and save it as a file. Remember, if you select something big as 100 GB, It’ll take long to complete the process and also it’ll take 100 GB from the drive where you save the file.

    fhf-bl-3 fhf-bl-4
  4. Click ‘OK’ and wait until the file is created.
    fhf-bl-5
  5. Now, you’ll see a virtual HDD. Now, select ‘Initialize Disk’ from the right click menu. From ‘Initialize Disk’ window, Select MBR and Click OK.
    fhf-bl-6
    fhf-bl-7
  6. Click on the ‘Unallocated Area’ and create ‘New Simple Volume’.
    fhf-bl-8
  7. ‘New Simple Volume Wizard’ will open. Click next and leave default values. You can change the drive letter and, put anything as the volume label.
    fhf-bl-9
    fhf-bl-10
    fhf-bl-11
    fhf-bl-12
    fhf-bl-13
  8. Click Finish! Now you have successfully created a virtual HDD.
  9. Open Explorer and go to ‘My Computer’ or ‘This PC’ depending on the operating system. Right click on the newly appeared (virtual) drive. Select, ‘Turn on BitLocker’. Note that you’ll need to have administrative privileges to do that.
    fhf-bl-14
  10. ‘BitLocker Drive Encryption’ wizard will open. Choose a password you like. (My advice on passwords.) Remember it! Click ‘Next’.
    fhf-bl-15
  11. Now, It’s important to save your recovery key. In case if you forget your password, you can use this key to unlock your drive. So, keep it in a safe place. (Your HDD is not a safe place! You’d better save it to your Microsoft account instead. However, make sure no one other than you have access to it.) Then click ‘Next’ and finally, ‘Start Encrypting’!

    fhf-bl-16 fhf-bl-17
  12. Wait for a while for the encryption process to be completed.
    fhf-bl-18
  13. Almost there… Now go to ‘My Computer’ (or equivalent) and check it out. The icon indicates that it is ‘Unlocked’. You can start copying files now.
    fhf-bl-19
  14. When finished, Right Click on the icon and click ‘Eject’. Whoops! It’s gone. 😦
    fhf-bl-20
  15. You can follow step 1 and click Attach VHD to open the disk back. You’ll be prompted for password. Or instead in Windows 8 etc., find the something.vhd file you created and just double-click it.

This method can be considered safe provided that you’ve set a good password and the Recovery Key is privately stored somewhere. 

How to choose a ‘good’ password?

How to choose a ‘good’ password?

There’s no exact definition for what a good password is. But, they’re several obvious facts which determine how good the password is.

  1. Mainly, it must be hard to guess (or crack).
  2. And also, it should be easy for you to remember.
  3. And optionally, it should be hard for others to remember/read it.

Let’s try to deal with those things so we can obtain a safe, easy-to-remember password.

Never, ever use your details known to others as a password.

They’re easy for you to remember but also very easy for others to guess. Common examples include your name, birthday, NIC/SSN, mobile number etc. When someone tries to enter into your account, they’re probably the first things he tries.

Don’t use any of the following.

Following is about most popular passwords (late 2011).
Good article on worst passwords.


The most unsafe password was ‘password’ (2011) and now (early 2014 list) it’s ‘123456’. People have a feeling that the password ‘password‘ is a clever idea, but, which is not. So don’t use them.

Don’t use any words!

Use no words. Words are vulnerable to the so-called dictionary attack. Simply, the intruder tries a list of words until he gets the correct one. Here, social networking sites offer more security so they aren’t vulnerable to this attack normally. But, why take a risk? Use words or phrases created by you or try reversing (not recommended) or removing some letters. Intentional misspelling (‘munkeylend’ for ‘monkey land’) and combining words is agreeable. But please note that one can try all possible combinations of words, by means of a brute force attack (Yup, it’s kind of a brute force attack.), which will take a great amount of time, of course.

Try some symbols!

Use symbols and numbers too. Using uppercase letters is fine. In internet slang, sometimes we use ‘4n’ instead of ‘phone’ and ‘gr8’ instead of ‘great’ and so on. Why wouldn’t you try it with passwords? Following is a table which summarizes some of the symbols used instead of letters. So, ‘donkeytail’ would be something like ‘D0nk3yta!L’. It’s safer; And easy to remember. And try leet. Update: Leet alone might not be safe too, sometimes. I, myself have successfully carried out an attack on leet passwords.

A, a 4, @
B 8
E 3
G, g 6, 9
I ! (, 1)
L 1
O 0
S 5, $
T 7
Z 2

Spaces are great?

Separation of words make your password a passphrase. That makes ‘donkeytail’ a ‘donkey tail’. You can misspell the space(s) too. (‘don keytail’). Another trick is appending or prepending a space to the password. ‘donkeytail ‘ or ‘ donkeytail’. Note the space. It’s misleading; even if someone who’s willing to obtain your password happens to see it in clear text, he’ll probably not notice the space.

Avoid long passwords!??

Longer passwords are hard to remember, or otherwise they’ll be insecure. Longer passwords waste your time. Imagine you’re going to change your password for your all accounts. (Using the same password for all accounts??? I’ll come to that point later in this article.) It’ll take hours. (Wait, don’t shout!) And, what if you mistyped one letter and not certain which it is! You’ll have to start over typing. Yes, You may type 134 words per minute but what if the account or the website doesn’t support the length of your password? Sometimes, the length of the password is limited (maybe 256 letters or maybe even 16 letters). Just use a clever password instead of a long one. 10 to 16 characters would be fine. Longer isn’t always the better.

Don’t use silly symbols…

Don’t use Alt + {numpad keys}* or anything that will result in box shapes, spades, hearts, emoticons etc. They look safe in Windows (or in whatever you are using now) but if you had to type the password from another platform (e.g.: Android), boom! , you won’t find the symbol! And most importantly, some account types don’t allow you those ‘silly’ symbols. It’s better if you can avoid characters other than ASCII (Sinhala, Cyrillic etc.) and the best is to avoid everything those are not available in a normal keyboard.

Never use them!
Silly dimbols

Don’t use patterns visible on keyboard.

Don’t use your physical keyboard layout for making up your password. Q to Z, hold shift, X to T, release shift, 1, 2, 3. Never do this. In case if you get some strange keyboard layout (you’re using QWERTY and here’s a DVORAK) , oops!, you don’t remember what you had typed. And, people looking over your shoulder will easily realize what you are typing.

Don't use.
Keyboard layout based passwords.

Random password generation and password managers.

Random password generators simply generate forgettable strings like ‘as$6&Mf0t’. Password keepers save all of your passwords in a database and protect it with a master password. So you have to remember just one instead of a few hundred passwords. Random password generators and password keepers are available everywhere. Free, paid… Most of them do what they should. But here’s my list: (Some of them are free but some of them are not unless you… Never mind.)

They’re extremely safe. (Funny. But here’s a fair warning: some sites may use insecure methods to store your password. So no matter how secure your password is, it’s still vulnerable.) Some of them generate passwords when you sign up, then stores them encrypted with a master password (or sometimes, a physical key or a card), and whenever you log into the account, they type it for you. Safe from brute force attacks, dictionary attacks, keylogging, over-the-shoulder people, blah blah blah… But, they’re several problems with these tools. In case you haven’t backed up your passwords database and your HDD is terribly ill, you won’t be able to access your accounts. And if you are going to access your account from a public computer or a mobile device, you may not have your passwords database with you. Some web-based solutions allow synchronization of your database;So you just have to log in to the password keepers website or use a plug-in. Some software have better solutions. Taking the database with you in a flash drive (or a glass bottle) solves this. This isn’t that much troublesome, unless you have a short term memory loss. Even though, mobile devices may not support pen drives. (e.g: devices without OTG or USB host mode.) But finally, if you’re not allowed to connect your pen drive, again, boom! you don’t have access to your account.

Don’t use same password for all of your accounts, but…

It could be a little unsafe to use the same password everywhere. But, remember, a good software or a website doesn’t store your password in any way! (yes!) But you can’t be sure that the website is good, can you? All that a website saves in its servers is a code derived from your password by means of a one-way function which is simply a function which doesn’t have a proper inverse function. As an example, squaring a number (raising to the power 2) is such a function. (2)^2 and (-2)^2 both give 4. But, if you see 4 somewhere, you can’t be certain which of 2 and (-2) produced the result. Hashing is a complex one way function which results in something called avalanche effect . It’s an interesting effect: you changed a single letter in your password, but the resulting hash is completely different from the previous! So the hash is irreversible. But remember, there are many types of attacks on hashing algorithms (e.g.: Collision attack: your original password was -2 but 2 is accepted as a correct password!) which possibly reverse the irreversible hash. Funny enough. There are many types of hashes, SHA1, MD5, Whirlpool, Keccak,… A hash code is somewhat fast to calculate. So, if someone finds the hash code of your password, he can possibly commence a brute force attack (trying everything from the beginning of printable characters to the end of that, trying all possible combination combinations of characters) to find the matching password. Hash code alone is no longer used. (because of the existence of Rainbow tables: precomputed hash dictionaries, fast GPUs etc. Read this.) Common method used now is a KDF (Key derivation function. e.g.: PBKDF2). It involves a random number (by means of a cryptographically secure pseudo-random number generator), about 10 000 (ten thousand) iterations of hashing (for hash based message authentication). (Yeah, yeah, I know how to do it. I’ll tell you someday. Are you free next Sunday?) This necessarily makes the password verification process much, much slower. So, an intruder who tries a brute force attack will have to wait about, to say, lifetime of the universe! So what’s the point? Use the same password but insert some characters based on the name of the app or the URL of the website into the password. E.g.: Using ‘Mun k3yl3nd’ in Facebook as ‘Munc k3yFl3nd’ (www.facebook.com: from top level domain ‘.com’, the letter ‘c’ is inserted after the 3rd letter. From the name of the site, ‘F’, uppercase is inserted into the position where the real space should be. i.e.: Between ‘monkey’ and ‘land’) You can use the length of the website name somewhere as a number too. Whoa. Another warning: the website name may change over time. The ‘live.com’ is now ‘bing.com’ and a ‘Gmail’ account now is called just a ‘Google’ account. So, be careful. 🙂

Examples help, always…

Assume you watched ‘Jurassic park’ recently.
‘Jurassic park’ Idea.
‘Juras sick park’ Modifying it a bit to something else that makes sense.
‘Jur@$ 5!ck p4rK’ Substitution of letters with some symbols. First ‘s’ becomes ‘$’, second one becomes ‘5’. First ‘a’ becomes ‘@’, second ‘a’ becomes ‘4’. You’ll have to remember this, of course, but, here I used symbols come first. Use your own way replacing letters.
‘Jur@$ 5!ck Fkp4rKc’ Add a seed. Here what I call a seed is something (letters) which is completely independent from the password. Assumed using password for a Facebook account. First letter – ‘F’ and last letter ‘k’ is prepended to the last word of the password and the first letter of the TLD name ‘.com’ – ‘c’ is appended.

Find your own way creating passwords. Good luck! 


* Content of this post are subject to change without notice. Please read disclaimer
** Any brand names or logos herein may be trademarks (™) or registered trademarks (®) of their respective owners. 

Changing file extension (Windows)

Renaming

imageimage

  1. Right-click on the file and click ‘Rename’ or select the file and press [F2]
  2. Rename the file and change the extension (and file name) as you want (e.g.: file.dll). (If you can’t see the extension, uncheck ‘Hide extensions for known file types’ from ‘Folder and search options’.)
  3. The file is now unidentifiable.

image

Viewing

  1. Follow the same steps and rename file back to the original to view.

This method is not secure.

Hiding a file with an MS-DOS batch file (Windows)

Hiding

Save following MS-DOS code to a file named ‘Hide.bat’ in the same folder as the file is. ‘file.ext’ is the file/folder you want to hide.

@echo off
attrib +h file.ext

Double click on the ’Hide.bat’ batch file to hide the file.

Viewing

Save following MS-DOS code to a file named ‘Show.bat’ in the same folder as the file is. ‘file.ext’ is the file/folder which is hidden.

@echo off
attrib -h file.ext

Double click on the ‘Show.bat’ batch file to show the file.

This method is not secure. Files can also be viewed using method (1). Changing code as following:

@echo off
attrib +h +s file.ext

For ‘Hide.bat’ and

@echo off
attrib -h –s file.ext

For ‘Show.bat’ makes it a little more secure.

But still viewable by unchecking ‘Hide protected operating system files (Recommended)’ also.

image

Hiding a file with properties dialog box (Windows)

Hiding

  1. Open the folder containing the file/folder.
  2. Right-click on the file and click properties or select the file and then press [Alt] + [Enter].
  3. In the ‘General’ tab under ‘Attributes’, check ‘Hidden’.
  4. Press ‘OK’ to accept.
  5. File is hidden now.

image

Viewing

  1. Open ‘Explorer’ and select ‘Folder and search options’ from the ‘Organize’ menu.
  2. In the ‘View’ tab check ‘Show hidden files, folders, and drives’.
  3. Click ‘OK’
  4. File(s) with ‘Hidden’ attribute are visible now.
  5. Follow the same steps and select ‘Don’t show hidden files, folders, or drives’ to hide them again.

image

This method is insecure.