I'm confused! I am currently using a program called Safehouse Explorer to secure some files. It apparently uses "Twofish 256-bit encryption", which makes it hard for someone to "decrypt". It works on the virtual drive principle: you start the program, put in a password and it opens the virtual drive so you can work on your files. When you've finished, you close the files and close the program and the "drive" morphs back to a .sdsk file.

My question is, if all I need is a password to get into the program and therefore the files, where does the encryption come into the equation? If I use a weak password, having that encryption will mean nothing. Conversely, if I use a really strong password, why the need for "encryption"?

Another program that has good reviews is Folder Lock, but it appears to use the same system. Great encryption but once again it relies on a password.

Any insight from the floor on the relationship between encryption and passwords would be appreciated.

Why not use Windows own built-in encryption? SafeHouse looks whizzy on the Web page but unless you fork out $60 for the Pro version, you're getting a pretty crippled product. And SafeHouse isn't exactly well-known.

Veracrypt - https://www.veracrypt.fr/en/Home.html - is a modern fork of TrueCrypt and since v1.19 is regarded as pretty secure (now at v1.21) and it's FREE!

Mac

:-|

[someone else will have to explain about hashing and salting - I'm going to bed]

My question is, if all I need is a password to get into the program and therefore the files, where does the encryption come into the equation?

Typically, the encryption software picks a random key and uses that to encrypt the disk. Then it encrypts the key with the password and stores it in a file on the disk. So, to read the disk, you need the password to decrypt the key, which is then used to decrypt the disk.

Obviously, it doesn't matter if the software uses a random 256-bit encryption key to encrypt the disk if you then pick 'password' as your password.

Conversely, if I use a really strong password, why the need for "encryption"?

If the disk isn't encrypted, anyone can boot the machine from a Linux DVD or USB stick and read what's on it, regardless of what Windows software you install to ask for a password first.

Basically the password is what enables access to what is encrypted, so if you use a weak password then you've really negated any strong encryption. Kind of like if you use a cheap lock to an expensive safe. Use a strong password and you have a good lock as well.

Thanks all. Makes sense now.