Google can prevent you from accessing your own email if it thinks your email program is “less secure”

I have blogged before about email programs that can’t access your email and that try to insist that your password is wrong when you are quite sure that it isn’t. See “Oh dear – error“, for instance.

One of the situations that causes this completely misleading error message is if Google decides that you are using what it terms a “less secure” program to access your Gmail. It doesn’t say what your program is “less secure than” and it doesn’t tell you that this is why it won’t let you in. All it does is tell you that your password is incorrect.

Some circumstances that can definitely cause this are if you use:

  • The Mail program on an iPhone or iPad with an IOS version of earlier than 6
  • The Mail program on a Windows phone with a version earlier than 8.1
  • The Thunderbird or, believe it or not, Outlook email programs (including Outlook 2016 – the latest version)

Fig 1 - Accessing Google Account Info

Fig 1 – accessing “My Account” in Google

There is, however, a fairly simple way of rectifying the situation. Simple, that is, if you know how to navigate the seemingly Kafkaesque options in your Google account as accessed via a web browser.

So, until they mess around again with how your account information and options are presented, here are the steps you need to take to access your gmail by one of the aforementioned “less secure” methods:

  • Open a web browser
  • Log into your google account at
  • Click on the circle at top right and click on “My Account” (see Fig 1)
  • Click on “Sign-in & security” (see Fig 2)
  • Scroll down until you see the box that includes “Allow less secure apps”
  • Click the “switch” to the right-hand (“on”) position (see Fig 3)
  • Sign out of the account (if desired) by clicking on the circle at top right and then clicking on “sign out” (see Fig 1)

Fig 2 - Sign in and security

Fig 2 – Click here

You may think that this couldn’t possibly be the cause of an email access problem today (or tomorrow) as it worked perfectly well yesterday, so why shouldn’t it work today? Because Google are quite capable of moving the goalposts overnight and they are not going to tell you if they do that. You just have to find out for yourself.

In fact, exactly this same thing happened to a computer support client of mine about this time last year. One minute the email was arriving perfectly happily on her iPhone and the next it wasn’t. I should point out here that my own strong advice is to keep up to date with IOS versions. Apart from anything else, it can take a long time to update everything all at once and it’s far easier (and keeps your device safer) to keep it relatively up to date all the time.

Fig 3 - allow less secure apps

Fig 3 – click to the right of the round “knob” to “slide” the switch to the right (“on”) position. It’s no good trying to “drag” the knob to the right: it doesn’t work.

Anyway, in this specific instance the client chose to force Google to accept a connection to a “less secure app”, so we took that route and all was quickly resolved.

So, if your email program suddenly tells you that your password is wrong and it’s a Gmail account that’s involved, do remember to ask yourself whether Google may have moved the goalposts again when it comes to what it considers “less secure apps”.

Has your email address (and, possibly, password) been caught up in a data breach?

Hunched Hoodie

A ne’er-do-well

If, like me, you have never heard of the word “pwned”, then I am pleased to elucidate by quoting Wikipaedia’s definition:

Pwn is a leetspeak slang term derived from the verb own, as meaning to appropriate or to conquer to gain ownership. The term implies domination or humiliation of a rival, used primarily in the Internet-based video game culture to taunt an opponent who has just been soundly defeated (e.g., “You just got pwned!”).

Yes, I know, “leetspeak” isn’t a proper word either. If you care enough, you can check it here –

The important point, though, is that the website performs a valuable (free) service in telling you if your email address has been involved in a data breach. You can even ask them to send you a free email advising you if it should happen in the future.

What do we mean by “…involved in a data breach” and why is it serious?

Suppose some ne’er-do-well hacks into a website and manages to steal a list of usernames and passwords of people who have registered with that site. That is a data breach.

Now let’s suppose that the website suffers such a breach. You hear about it on the 6 o’clock news and you think to yourself “hmm, didn’t I register with them last year when I had a sudden outbreak of nasal hair?” You might be tempted to shrug it off, thinking “how bad could it possibly be?”

Well, if you are one of the countless people who have ever used the same email address (as a username) and the same password on several different websites, then it could be very serious indeed.


Would you want one single key to fit every lock you have?

Computer hackers do realise that there’s a huge number of people who only use one email address and that that email address is used as a username on countless websites. Moreover, they also know people re-use the same password. So, the danger doesn’t lie in them knowing that you bought the super, high-speed, high-power nasal trimmer. Rather, the danger lies in them trying that same combination of username and password on Amazon, LinkedIn, Facebook, Waitrose, Ocado…………

This is why you MUST NOT re-use passwords.

Have I Been Pwned?So, the website kindly lets you know whether any of the major data breaches in the past have exposed your email address and also lets you know – free – if you get caught up in any new data breaches. I strongly recommend that you take just a couple of minutes out of your life to visit the site, click on the “notify me” link at the top of the page, and risk being mildly irritated by having to prove that you are not a robot. After that, you can forget it. You just need to consider whether there’s any action you need to take if you get an email from them some time in the future telling you that somewhere you registered that email address has been hacked into.

Health Warning: I don’t think they claim to know about EVERY data breach. They are certainly not claiming that you’ve never been involved in a data breach if they don’t know about it. Nevertheless, it’s a simple, free way of improving your online security.

If you’re interested in seeing some of the biggest data breaches of the past, have a look at the bubble chart here.

Yes, this is me whingeing about error messages again

See, for instance, “Oh dear – error!“.

I’m not just letting off steam again for the sake of it. This is a situation that I’m sure other people come across and fail to solve (and I challenge you to find the solution among Apple help pages).

Apple ID - password wrongBack in the mists of time (about four years ago), a new computer support client contacted me with a typical list of problems. Included in the list was problems with her Apple ID(s). Specifically, she had two different Apple IDs and some apps had been bought with one ID and some with another. She couldn’t update apps bought or downloaded under the older ID. At that time, we didn’t manage to get to the bottom of her Apple ID problems (mired, as we were, in AOL problems as well).

Anyway, last week I was visiting her for some reasonably routine stuff and she wanted a bit of help setting up a brand new iPhone SE. Not realising I’d stepped into a man trap (“fools rush in..”), I got stuck in and – you guessed – the problem of multiple Apple IDs cropped up again. Now, my client is pretty compos mentis and she has a pretty good idea of the possible passwords that she might have assigned to these Apple IDs, so why on earth were we still having problems? Why were we being told that the password was incorrect?

Apple ID - password entryThis time, it occurred to me that the first thing to do in cases like this is to establish unequivocally what the password is for a given account. So, instead of vainly shouting at her brand new iPhone (albeit viscerally satisfying for me and entertaining for her), we went to a browser (on a proper computer) and tried to log into the Apple ID. We reported that we’d forgotten the password and she demonstrated her clear-headedness by knowing the answers to the security questions it asked. So we were able to re-set the password without drama. We then logged in and out of the account a couple of times so as to be entirely confident of the password.

Now, the Apple ID whose password we had just re-set and clarified belonged to the old account that she’d used yonks ago. The ID that she uses currently causes no problems and we’d restored the software from the previous phone, updated all the apps that go with that ID and everything was fine.

Apple ID - password wrongHere’s the crunch. The phone informed us that it could not update the apps acquired under the older Apple ID without us entering the password. No problem. We now knew for certain what that password is because we’d just re-set it and logged in and out a few times. So, we entered the password and – guess what – it told us that it was wrong. “BUT IT CAN’T BE WRONG, YOU STUPID PHONE”. I don’t have perfect recall of even getting up this morning, let alone what happened four years ago, but both the client and I remember that this scenario was what had us almost in tears the last time.

This time, however, I had a brief moment of clarity – we’re still signed in to the other Apple ID. So, I signed out of the other ID, into the correct one (whose password is most assuredly what we think it is) and, hey presto, the apps updated without problem.

The point of this blog is twofold:

  • Why – especially after all the years that iPhones and IOS have been around – are we STILL presented with a totally misleading error message when entering an Apple ID password? Surely it can’t be beyond the wit of the geniuses working for Apple to trap this error properly and come up with a decent message, such as “You are signed in with a different Apple ID. Sign out of that Apple ID first and then sign into this one”.
  • If, perchance, you yourself have used several different Apple IDS in the past, now you know how to keep all your apps updated without having a hissy-fit.

iPhone 5c - blueBy the by, do you happen to be in the market for an unused, unlocked, 32gb, blue, iPhone 5C? If so, the same client has one (no, it’s not either of the phones discussed above. This one is unused). Just let me know if you are and, preferably, an idea of what you’d like to pay for it, and I’ll pass the message on. It’s still got the original box and my client would despatch it by registered mail.

We all know that passwords are a nuisance – but necessary

Multi Factor Authentication - eyes and fingerprintsI’m not going to bang on again that you shouldn’t use the same password for more than one account. And we all know that recommended passwords are getting longer and more complicated. It seems to me that there’s a general “average” of what is currently considered to be a good (or, at least, reasonable) password:

  • At least eight characters long and possibly up to twenty
  • At least two of the following types of character should be included – upper case letters, lower case letters, numbers, special characters (eg $<*! etc.)
  • No word that is to be found in a dictionary should ever be used on its own as a password
  • Avoid easily-guessed proper nouns (ESPECIALLY your cat’s, children’s, partner’s names!)

But it doesn’t matter how long a password is, or how many billions of years it would take to crack it by brute force if the person trying to get into your account can read the password on the post-it note on your monitor!

So, a lot of websites and organisations (especially financial ones) are bringing in ever more complicated systems of security that require more than one factor to be correct. In these systems, knowing the password is not enough to gain access.

Multi-factor authentication requires the user to satisfy the system that they are genuine by providing at least two from the following three factors:

  • a knowledge factor – something the user knows
  • a possession factor – something the user has
  • an inherence factor – something the user is

Passwords are, of course, an example of the first criterion.

A debit/credit/bank card is an example of something that the user may have. So, getting cash from the hole in the wall entails multi-factor authentication in that you need to have your card (something you have) and you need to know your PIN (something you know – in effect, a password). This is probably the most prevalent form of multi-factor authentication.

Multi Factor Authentication - fingerprintsExamples of “something you are” include fingerprints (ie you are a person with that unique set of fingerprints) and other biometric measures such as retinal and iris scans. These return results unique to one individual, but there could be complications if you cut your finger off or someone pokes you in the eye with a sharp stick. Just in case you wonder whether someone could present a photograph of an eye for authentications purposes, it won’t work. The machine that “reads” the eye looks for the spontaneous contraction and dilation of the pupil that is present in all “real” eyes.

The theory, of course, is that requiring you to satisfy at least two factors is far more secure than asking you to satisfy just one. Far more secure, too, than just asking you to provide two different pieces of information (known as two-step authentication. It is not multi-factor authentication). Two-step authentication is as useful as a chocolate teapot if you write both pieces of information on the post-it note on your monitor.

Multi Factor Authentication - key fobs

Key fobs generate a unique code for that user at that moment. An example of “something you have”.

I don’t think that anyone is claiming that multi-factor authentication is any kind of panacea. There are still plenty of ways that it can be subverted. Stealing someone’s cash card and forcing them to give up their PIN using threats is just one way that two-factor authentication can be fooled by the person seeking access. So, I’m not about to tell you that you long, complicated, passwords are going to become a thing of the past any time soon.

If anything, life is set to become even more complicated as more and more situations will demand two – or even three – factor authentication.

By the way: I keep meaning to point out that my links to Wikipedia pages in these blogs are only meant for anyone with a faint interest in finding out a bit more about the subject. I really wouldn’t try to suggest that any blog with Wikipedia links has any claims to academic respectability!

I’m having serious doubts about whether it’s a good idea to keep a LinkedIn account

Linked-In LogoRegular readers will know that I’m no great fan of social networking sites. I think they are devious, manipulative, insecure, and can not be trusted with a tenth of the personal data that people entrust to them.

Nevertheless, for about five years I have had an account at LinkedIn. I thought that as long as I only give them the minimum amount of information (about my professional self) then it should be ok. To be honest, the real reason for joining was to increase my credibility as a self-employed person advertising via his website. If I have “x” number of connections on LinkedIn then at least “x” people are saying that they know I exist and that they are not ashamed to be associated with me (at least as far as LinkedIn is concerned).

But a number of things have started happening that I don’t like. These include;

LinkedIn - you may know

This person has suddenly appeared at the top of the list of “people you may know” in my LinkedIn account – just days after I started an email exchange with her.

People showing up on LinkedIn as being “people I may know” that LinkedIn could not possibly have deduced from my current connections. Indeed, LinkedIn don’t suggest they are first, second, or third degree “connections”. I have always scrupulously denied LinkedIn access to my contact lists. And yet, the only thing that a lot of these “people I may know” have in common is that they are, in fact, in my address book. If LinkedIn has obtained my contacts legally then I can only think that they must have bought another service – of which I am a member, and to which I have inadvertently revealed my address book. In any event, I don’t like it. Online services taking over other services and then pooling information about their users is one of the most insidious mis-uses of data online that I can think of.

More and more emails being received from people I don’t know, asking me to “connect with them” on LinkedIn. LinkedIn is not supposed to be like some stupid social networking sites where the aim is to get as many “followers” or “friends” as you can – irrespective of whether you actually know them. It’s supposed to be about business networking. There’s going to be no point in it at all if you can’t trust that the relationships are genuine.

There has been a lot of press about LinkedIn being hacked and about LinkedIn allegedly misusing information gleaned from users’ email accounts. If you suspect that people in your address book have been receiving invitations to join LinkedIn – apparently instigated by you – then do have a look at this link:

LinkedIn customers say Company hacked their email address books

And these pages don’t exactly inspire trust, either:

Your leaked LinkedIn password is now hanging in an art gallery
LinkedIn hack
LinkedIn passwords hacked

A Leaky BucketPerhaps It was one of these episodes that gave rise to a client phoning me last week with the news that her Gmail account had been hacked and her contacts were receiving some very strange email messages that were supposed to have come from her. She said that she had just been exploring LinkedIn (where she has an account) and that this hacking happened just afterwards. I realise that there is no proven connection with LinkedIn, but that doesn’t stop my uneasy feeling about them.

Luckily, the hackers used her Gmail account to send all these strange messages, but they didn’t change her password. The only reason I could think of for this was that they’d got access to so many accounts that they were content with a “one-time use” of her account. We were very, very, lucky. I have tried to recover Gmail accounts from Google before (see this blog on Gmail Passwords) and it can be very difficult. When trying to prove ownership of your hacked account, Google will ask some impossible questions – such as “on what date did you open the account”!

Anyway, in this instance we were able to access the account and change the Gmail password. I’d like to take this opportunity to remind you not to use the same password several times (or similar ones such as mydog1, mydog2, mydog99 etc), as any human being that has hacked one site containing your email address and a password may well try the same combination (or similar ones) on other sites – see this blog on re-using passwords.

Add all these things together and I’m now teetering on the edge of closing my LinkedIn account. Certainly, I changed my own LinkedIn password as soon as possible after the above incident. I would advise you to do the same.

Passwords (again), silly Twits, and more…

Test Your Passwords

Click here for (another) password tester. Yes, I know I’ve given a link to a site like this before. I don’t apologise because I’ve seen how much upset can be caused by a malicious person guessing a client’s password. See this blog on the subject of stolen Gmail passwords, for instance. Even if you don’t change any existing passwords, please use strong ones in the future. In the meantime, find out how good that one password (that you use for everything!) actually is – or not.

A Plug for Low Cost Names

The LCN (Low Cost Names) logoIf you find yourself wanting to register a web domain, then I definitely recommend doing it with LCN. I’ve been using them for years and never had a problem, but hadn’t realised before just how good an example they set in communication and online support. This week I needed to register a domain for some testing I was doing. I needed to speak with someone and was very pleased to find that they prominently publish their telephone number on their website. Not only that, it is a normal, non-premium, UK landline number. Even better, the normally-elusive technical support people were available from option number one on their automated telephone menu system. Then they told me how many were in the queue before me. Then, within a minute or so, they answered me with a knowledgeable, UK-based adviser. That’s the way to do it!

Who Said You Could Share My Data?

Twitter and Linked In Logos merged together

Is it just a coincidence how snugly the Twitter and Linked In logos merge together?

I was rather miffed last week to receive an email from Twitter suggesting people that I might like to “follow”. Apart from the fact that I’m perfectly capable of deciding for myself whether my life is so empty that I want to fill it by “following” anybody (it isn’t and I don’t), I was annoyed by the unsolicited intrusion into my inbox and by the fact that two out of the three suggestions were people who had figured in my Linked In connections (one of whom I had deleted). I hadn’t realised before that Twitter and Linked In were connected and I certainly hadn’t knowingly given them permission to share information with each other. When I looked at the privacy policy of Twitter I learned:

Links: Twitter may keep track of how you interact with links across our Services, including our email notifications, third-party services, and client applications, by redirecting clicks or through other means. We do this to help improve our Services……

Well, I for one do not consider sharing data this way and then sending me unsolicited emails to be “improving…. services”. Instead, it just reminds me of some of my worst nightmares of these large organisations sharing more and more data amongst themselves, and then coming to computer-generated conclusions about who I am and what I want.

And still on the subject of Twitter…

Screen grab from Don't Blame FacebookDid you see the Channel 4 programme last week called “Don’t Blame Facebook”? It told tales of how injudicious tweeting and posting on social network sites can cause unforeseen problems. It’s amazing just how shortsighted and, frankly, stupid people can be in giving away too much information on these sites. Nevertheless, even I had to feel sorry for the the couple who were refused entry into the USA and sent back home without having their holiday just because of the paranoia of the spooks who monitor everything that is shared on Twitter. Apparently, the male half of the couple had tweeted that he intended to “..destroy the US” while on holiday. He just meant he was going to have some fun, and maybe a drink or two. Nevertheless, they were stopped by the US border guards on their way in, spent a while in jail, and then returned to the UK.

At the time of writing, you can still watch the programme “Don’t Blame Facebook” by clicking here.

The biggest single preventable IT problem that my clients seem to encounter is lost, forgotten, or mis-remembered passwords

PadlockI know it wasn’t long ago – see this blog on passwords – that I recommended writing down all passwords – manually – in one place. OK, I can see the obvious flaw in this advice. However, the practical reality, in my experience as an IT Support Consultant, is that almost everyone needs some simple but rigid discipline to ensure that they can always find any of their passwords.

So why am I bringing it up yet again? Because some online organisations have started taking it upon themselves to force us to change our passwords before allowing us into our accounts. I think I’ve seen it with Apple in the last few weeks and I encountered it with the Dropbox website recently. With Dropbox you can simply re-use the same password (which defeats their aims of improving your security), but with Apple you can’t re-use one that’s been used in the last year.

This development adds a further layer to the complexity and frustration caused by online passwords. Being forced to change a password before you can carry on with what you were doing is just going to increase the likelihood that you will invent a variation of the existing password, fail to write it down, and then get locked out the next time you try to access that account.

Padlock with keyI’ve been trying to think of a way to make changing passwords easier – eg add 2 digits to the existing password that represent the month it was changed. The problem is, of course, that when you come to enter the password you won’t necessarily know when it was last changed so you won’t know what the current password is. It’s also true to say, of course, that any method that makes it easier for you to remember your own passwords makes it easier for someone else to crack them.

I don’t often see written advice on this subject. My guess is that anyone who is going to commit themselves in writing on the subject feels the need to be seen as “responsible” – hence all the common advice:

  • Passwords for all account should be unique.
  • Make passwords at least fifteen characters long.
  • Change them every month.
  • Never re-use them.
  • Always use a mixture of upper and lower case letters, figures, and special characters.

Hand holding keyThe only secure and comprehensive solution that I know of is to use password manager software. I’ve been using this approach myself for ten years or so. The reason I’ve not routinely passed it on to my clients is that its security depends on being absolutely certain that you have access to a working copy of the password program and backups of the data files. Frankly, a lot of people’s backup regimes are not rigorous enough for me to recommend that they put all their eggs in one basket by relying on a password manager.

However, this latest development (forcing password changes on us) has finally convinced me that it’s time to create a practical solution for my clients, consisting of recommended software, installation and training. The solution will need the following features:

  • Installation and training of a recommended password manager.
  • Installation and training in multi-level backup procedures to virtually eliminate the chances of losing the data file (data backups are always, ultimately, the user’s responsibility).
  • Ability to access the same password data whether you are currently using your Windows PC, IOS device (iPhone or iPad), Android device, or Mac.

I know the software to use as I’ve been using the specific software myself for at least six months and other software from the same company for at least five years. At this stage I’m not sure how long the installation and training of such a package will take, but I hope it can be done in a single session of, say, a couple of hours I’ll be aiming for simplicity and flexibility rather than sophistication. Please do let me know if you are interested.

Remembering usernames and passwords is a pain. It’s made much easier by using the same one for everything and never changing it.

Unfortunately, of course, what makes life easier for us also makes it easier for the hacker. If someone gets hold of one password then they can try it on any other of your accounts.

Yahoo is just the latest in a growing list of companies whose password databases have been hacked. Several other large online companies have also recently admitted that they think that huge chunks of their clients’ password information have fallen into the wrong hands. These companies include LinkedIn, eHarmony, and LastFM. If you receive an email from one of these organisations advising you to change your password then do so immediately. If you’ve used that same password on other sites then change all those passwords as well.

Bunch of Keys

Would you feel safe having only one key, that fitted every lock you own?

Yes, I know it’s a pain. It’s bad enough having to use all these IDs and passwords. It’s even worse that we have to try and make them unique and keep changing them. And now I’m suggesting that if LinkedIn (for instance) want you to change your password for that account then you should change the password for all the other accounts where you have used that same password? Yes, that is what I am suggesting.

“Fat chance”, I hear you say. You probably don’t even know which of your accounts use the same password and, anyway, you are ALWAYS going to have something better to do than organise your online passwords (re-arrange your sock drawer, for instance). Surely, no-one could have such a sad life that they’d even contemplate it?

an open Filofax

Write them all down in ONE place as soon as they are created or updated.

Well, if that’s your reaction, then I am prepared to risk sounding very condescending by suggesting you start a new habit now. Start writing down your IDs and passwords on real paper, with a real pen, and keep that information secure and in a place near your computer where you will always be able to find it.

Yes, I do know that that is a “security risk”. Anyone finding this master list will be able to get into everything. What’s the alternative? The proper alternative is to use a computerised, encrypted, password-protected, password manager. I use eWallet, and it works for me. However, if you use a program like this then you MUST take proper care in taking backups of the data and ensuring that you have a method of accessing the backup as well as the “live” file. If you are not completely sure that you have backups that will be accessible in all circumstances then you could get locked out of your own data. A manual record, on the other hand, is completely independent of all your computers and hand-held devices.

This advice comes as a result of many years of providing computer support to individual home users, professionals, and to small organisations. Over and over again I have been sitting with a client, trying to help them with a particular problem, and I have witnessed over and over again the frustration and the waste of time caused by not having a simple, foolproof, method of checking on what passwords were used in specific circumstances.

Filing Cabinet with Lock

What’s wrong with a good old lockable filing cabinet?

Writing everything down – as soon as the change happens – can save an enormous amount of time and frustration in the long run. If I still haven’t convinced you (or put you off reading the rest of this article), consider the situation where you’ve called me in to help you with something and we need a password or ID that you can’t find. In a lot of cases, of course, you simply contact the orgnisation in question and they quickly send you an email telling you how to change your password. If, however, we all spend 20 minutes trying to get into whatever it is that you want help with, then that is going to be £20 added to my invoice (at my current, very modest, rate of £60 per hour). In effect, you are being fined for not being able to find your password easily. And that is just what’s on my bill. What about all of your own wasted time and frustration?

I think we have to face the fact that we are going to have to live with multiple accounts, IDs (“usernames”) and their passwords for the foreseeable future. We might as well organise ourselves so that this is as painless as possible. To my mind, always being able to lay your hands on your password information is about as basic as it gets in aiming for that. And if that means getting a bit retro and digging out an old Filofax, then so be it.

End of harangue.

Combinatin lock superimposed on a laptopI have been asked several times recently, in relation to IT support, whether it is possible to password-protect sensitive data in Windows. Considering how long Windows has been around, you would think that by now there would be a simple way of protecting a file or a folder so that the contents can be neither listed nor opened without a specific password.

There isn’t.

This is one of those omissions that truly astonish me. Another such omission is that there’s nothing in Windows to allow you to synchronise the contents of two folders with anything resembling sophistication or control. That’s another matter, though. Let’s stick with passwords, for today.

So what can you do if you’ve got some files that you want to access regularly but don’t want others to see?

  • You can add a password at the bios level so that Windows won’t even load up without the correct password. This prevents anyone from starting your machine but the hard drive could be removed and connected as an external drive to a different machine. The files could then be accessed just as if they’d been stored on a flash drive. Also, a bios password does not protect you at all if the machine is already switched on and you leave it unattended. I use a bios password on my netbook computer so if I leave it on the tube one day at least no-one can just switch it on and get at everything on it without any effort.
  • You can add a user account in Windows with its own password. This is ok as long as you keep all the data you want to keep private in your “Documents” folder. If you are in a semi-public place (eg an office) you may also wish to activate a screensaver so that the password is required before resuming activity.
  • There are ways in Windows to allow or deny access to files, but these can be subverted by someone logging on as an administrator and the files are still visible even if the contents are inaccessible.
  • You can store your sensitive files on a USB flash drive and not on your hard drive. The flash drive itself is, of course, vulnerable to loss, theft etc.


TrueCrypt logoIf you really want to go industrial-strength in hiding certain content, then I recommend a program called TrueCrypt. With this, you create a special, password-protected, file of a chosen size (it can be huge). You put anything you want to keep private in this special file. This is achieved by “mounting” the file so that Windows sees the file as a new hard drive of the size you specified when creating the file. You can then access this “virtual drive” – and the sensitive files on it – in the normal way. When you want to hide the contents you just “dismount” the virtual drive. Prying eyes can only see that there’s a (possibly huge) file present but they can’t access it without knowing that it has to be “mounted” with the TrueCrypt program and without knowing the password you allocated to it. If you are really, really, paranoid you can even create a Truecrypt file within another one.

There are several benefits to the TrueCrypt approach:

  • No-one knows what’s in the file. They don’t know how many files are hidden, of what type or size, or the names of the files, or anything.
  • A casual snooper would not even know that they have found a file with hidden contents. All they see is a filename and you could give the file a completely meaningless name – such as “system execution derivatives” (??)
  • Even if the file is suspected to hide private data the snooper would then need to know (a) that TrueCrypt is the program needed to access it and (b) the password to mount the file.
  • You only need to remember one password (to mount the TrueCrypt volume) and not separate passwords for each file in it.
  • It’s free (but users are invited to donate).

There are some minor downsides:

  • It takes a few minutes of concentration and application of grey matter to get your head around how TrueCrypt works. After that, though, everything’s easy.
  • You can not back up the individual files that are inside the TrueCrypt volume without making those backups vulnerable to snoopers. Therefore, you have to back up the entire TrueCrypt volume. That’s no problem in itself (it’s just an ordinary file in this respect) but it’s a BIG file. If you’ve allocated, say, 2gb, as a TrueCrypt file then it’s going to need the time and space to back up a 2gb file even if you’ve only put a single 1mb file inside it. You can create your own compromise, of course, by creating two or more smaller TrueCrypt files.

I’ve been using TrueCrypt for a year or two now and I don’t recall ever having a single problem with it.

TrueCrypt is available for Windows and for Macs.

Remote Support may be suitable for this topic

© 2011-2019 David Leonard
Computer Support in London
Privacy Policy Suffusion theme by Sayontan Sinha