File Lockdown

Keep Your Private Information Private

First Published: PC Today
Date Published: November 2003
By Kevin Savetz
Your computer is almost certainly home to information that you would rather keep private. From business records to love letters, tax statements to, ahem, your first meager attempt at writing a novel, your PC probably has dozens of files that are no one's business but your own. But chances are you aren't the only person with access to that PC. If your roommate, family members, or co-workers use that computer, they also have access to your confidential files. And if someone steals or breaks into your computer, your financial data could fall into the hands of a complete stranger.

There are many options for keeping your data private, including encryption tools and software that hide entire folders from view. Encryption products encode files so that only someone with the password can read them.

Multiple Users & Accounts

Windows XP and Windows 2000 include the ability to create multiple accounts, with a password for each. When you enable this feature, the first thing you'll see when booting your PC is a login dialog box; before accessing Windows, the user needs to choose an account and type its password. But don't rely solely on Windows' account passwords to keep your data private. In a home or office environment, the password feature could keep casual snoops from looking at your files, but advanced users know how to easily bypass this feature.

To add a password to your account in WinXP, open the Control Panel and click User Accounts. Select the account you want to change and click Create A Password. Type and confirm your password and then press the Create Password button. If you wish, you can enter a password hint, as well. This is a clue that will appear whenever anyone presses the question mark button in the Windows login dialog box. If you use a hint, be sure it's vague enough so that it stumps anyone else who might be trying to access your data.

After adding a password, Windows will ask if you want to make your files and folders private. When there are multiple accounts on the computer, the privacy option will keep other accounts from being able to access your folders. But even though this will keep co-workers from opening your files (while logged into their own accounts), the privacy option doesn't encrypt your data.

Setting up multiple users is also possible in Windows 98 and Windows Me by double-clicking Users from the Control Panel, but the overall purpose is personalization, not security. This feature merely lets you keep your Start menu items, Desktop icons, My Documents folder, and files separate from those of other users. You can add a password to your account so Win98/Me asks for it at boot time, but this is another feature users can easily bypass. All a user has to do is click the Cancel button when the login dialog box displays to gain access to your files.

File Encryption In WinXP Pro & Win 2000

Alone, user accounts don't do much to protect your data, but coupled with file encryption, which is built into WinXP Pro and Win2000, your files have a higher level of protection.

If your PC's hard drive was formatted using NTFS (NT file system), you have access to encryption from within WinXP Pro and Win2000. Encryption isn't built into the older FAT (file allocation table) file system, but you can add it with third-party software. (For a few examples of this type of software, see "Third-Party Encryption Software," the next section in this article.)

To encrypt a file or folder in WinXP Pro and Win2000, right-click the item that you want to protect and choose Properties. Click the Advanced button, select the Encrypt Contents To Secure Data checkbox, and click OK. Windows will then encrypt that file or folder immediately. Windows Explorer displays encrypted files in green.

Then, when you access the file, Windows will automatically decrypt it; there's no need for passwords other than your Windows login password. The built-in encryption ties the file to that particular PC, so if someone copies the file to another machine, the file will be unreadable. However, someone else could read the encrypted file just by sitting down at your computer while it's logged in to your account.

Third-Party Encryption Software

Regardless of whether you use WinXP Pro, Win2000, or another OS (operating system), you can use third-party software to encrypt your files. For example, PGP ( is a popular and very secure encryption utility. You can use it to encrypt individual files, the contents of a folder, or even individual email messages. (In the case of email, the recipient also must use PGP or a compatible utility to decrypt them.) The program costs $50 for individual users (personal license). More advanced (and more expensive) versions of PGP are available for enterprise users. In addition, there is a free version, PGP Freeware (, available for non-business use. PGP Freeware can encrypt individual files and email messages, but it can't encrypt entire directories.

Another third-party choice for file encryption is Windows Privacy Tools (free; Like PGP, Windows Privacy Tools (also known as WinPT) will encrypt files and email messages.

Both programs utilize a type of cryptography in which every user has two keys, one public and one private. You encrypt a file or message with the intended recipient's public key, but the recipient can only decrypt that file using his private key. If it sounds complicated, well, it is a little complicated. PGP does a fairly good job of insulating you from the behind-the-scenes technology, whereas WinPT isn't as full-featured and polished so it doesn't quite provide users with the same ease of use. Even so, for users on a budget, WinPT gets the job done.

Unlike the built-in encryption of WinXP Pro and Win2000, PGP and WinPT are portable, meaning you'll be able to decrypt your files from a notebook computer, a Macintosh, or a PC running Linux-if you have the proper password(s), of course. In addition, both programs are very secure; as long as you pick a strong password(s), even an accomplished cracker (experienced computer user who uses his skills for malicious and/or illegal purposes) won't be able to decrypt your data. (For more information about choosing passwords, see the "How To Choose Effective Passwords" sidebar.)

AxCrypt (free; is another option for encrypting files. After you install the program, right-click any file and choose Encrypt. The program will ask you to supply a password, and it will then encrypt the file. When you double-click the file, you'll be asked for the password again. After you finish typing the correct password, the program will decrypt the file. You can decrypt your files on any other PC with AxCrypt installed; the program runs on Win95/98/Me/NT/2000/XP systems. Although it doesn't have features for encrypting entire directories or email messages, AxCrypt is much easier to use than PGP or WinPT. So, if you only need to keep a few files from prying eyes, AxCrypt is perfect for the job.

Folder Security Software

Another way to keep scalawags at bay is to use folder security software to hide or password-protect your sensitive documents. Folder Guard ( is one such tool; it can make folders and files invisible, lock them with a password, and make it impossible for other users to delete them. Folder Guard doesn't encrypt your files; instead, it protects them by hiding and locking them down. Setting up Folder Guard for the first time can be tricky, so be sure to read the manual. But once you set it up, it will keep your files protected from outsiders. (There is one limitation you should be aware of, however; see the "Prevent Boot Hijacking" sidebar for more details.)

The $39.95 Standard version works with Win95/98/Me/XP Home and delivers a strong level of protection for home users. The $69.95 Professional version adds advanced features and support for WinNT4/2000/XP Pro. Free trial versions also are available to download.

Lock Up Tight

Of the methods we discussed, it might be best to use a combination of them. For instance, create multiple Windows accounts to keep other users from accidentally opening your files and use encryption or folder security software just in case someone purposely tries to access your private data.

Still, software can't do it alone; you also have to take responsibility for your files. Read the manuals so you understand how your security software works. Remember to re-encrypt your sensitive files when you finish working in them and log out of your account before you walk away from your PC.

Your computer doesn't need to be as impenetrable as Fort Knox. It's much more convenient to just secure the few files and/or directories that contain your confidential information. That way, the babysitter will be able to use your computer for homework but won't be able to peruse your financial statements for extra credit.

Sidebar: Prevent Boot Hijacking

A problem with many file security tools, including Folder Guard ($39.95 Standard version, $69.95 Professional version; guard) and Windows' own password login method, is that they depend on booting from your hard drive to work. If a person is determined to read or steal your files, all he has to do is boot your PC to a floppy or optical drive because your OS (operating system) and its protective systems aren't in control at that point. The intruder then can browse your hard drive and view and delete files at will (although encrypted files will remain unreadable).

By editing the PC's BIOS (Basic Input/Output System) configuration, you can prevent it from booting from any drive other than the hard drive. Many systems are set up to check floppy or optical drives before booting from the hard drive.

To access the BIOS setup utility, press a designated key (often the DELETE, ESC, or F2 key) when your computer begins booting. (The information screen that appears when you first turn on your PC will indicate which key you should press to access the utility.) In a moment, you'll see the main menu of the BIOS setup utility display. Use the keyboard to navigate the various settings the utility includes.

The BIOS setup utility lets you change the order in which the PC looks for bootable devices. Locate the setting that controls the boot device priority. You can change your system's configuration so it only boots from the hard drive, thereby ignoring floppy disks and other removable media.

At this time, the intruder could simply change the BIOS settings back again to boot from a floppy, so use the BIOS setup utility's command to create a BIOS setup password; the intruder won't be able to change your BIOS settings without that password. You also may want to set up a second password: the user or system password. If set, someone will have to type this password before the PC will boot at all.

Please note that making these changes in the BIOS setup utility could cause you extra frustration later and become a major inconvenience if your PC crashes. If you need to use a startup disk or the installation CD-ROM to get your system up and running again, you'll have to run the BIOS setup utility, enter the password, and add the floppy and optical drives back to the boot process.

Unfortunately, BIOS passwords aren't a universal remedy. If the intruder can open your computer case and access the motherboard, he can reset the passwords or remove your hard drive and browse your files using another computer. Then again, if there are people out there who would go to such lengths to access your confidential information, we're sure you have other concerns you probably should focus on, as well.

Sidebar: How To Choose Effective Passwords

A password should be hard to guess, yet easy to remember. After all, your password is usually the only thing that stands between your private information and the prying eyes of nosy co-workers, curious children, crackers (experienced computer users who use their skills for malicious and/or illegal purposes), and the outside world at large. So be sure to create passwords that other people won't be able to guess.

An easy-to-guess password is a word that anyone who knows you (or anyone who can dig up information about you) might try. Your dog's name, your birthday, your street address, your favorite color . . . passwords such as these provide almost no protection against snooping.

In fact, your password shouldn't be any word that's in the dictionary or even a variant of a dictionary word. A serious cracker won't bother typing password guesses by hand, either. Depending on the system you're using, he might be able to use a program that automatically tries millions of password combinations. One common password method for Unix systems, for example, tries every word in the dictionary, then tries entering them backward, then tries using words with the vowels removed, then tries inputting words followed by a number, as well as dozens of other variations. Chances are good that this type of method would crack your simplistic password in no time.

An effective password includes a combination of lowercase and uppercase letters, along with numbers and punctuation. Web-based password generators, such as's Password Generator ( and Jupitermedia's Password Generator (, will create random-character passwords that are difficult to guess, but they're also difficult to remember. A pronounceable password generator, such as's Password Generator ( and Linuxbuilt's Password Generator ( will create passwords that are easier to remember because they resemble real words. For example, "par0buxa" and "atiorize" are a couple of the passwords we received.

Another good way to create hard-to-guess, hard-to-crack passwords is to base passwords on long phrases or song lyrics. For instance, the memorable phrase "drove the Chevy to the levy but the levy was dry" might become "dtC2tLbtLwd!," which uses uppercase and lowercase letters, as well as numbers and punctuation.

Reprinted with permission from PC Today magazine.

Articles by Kevin Savetz