10 Utilities to Secure Your Data

Very few people (certainly not the smart, savvy, people who read PCWorld articles) run their computers without up-to-date firewall and antivirus software. Most users know better than to click a message from "Bank of Amerika" that tells them "Your account is much suspect of risk, please input number for verify." Regardless, there's always a new security hole, exploit, or social-engineering trick that can catch even the intelligent and cautious in a moment of weakness. Another threat is the possibility that someone might gain physical access to your computer--whether it's a laptop thief, a sneaky coworker with dubious intent, or an aggressive lawyer for the RIAA. This feature discusses several ways to keep your digital valuables safe, even if someone is prowling around your house.

(For a convenient list of links to all of the programs described in this article, see our "10 Utilities to Secure Your Data" collection.)

Don't Give Crooks a Free Pass(word)

I wish to publicly confess a venial but pretty dumb sin: I often reuse usernames and passwords. All a malicious hacker has to do is get that combination from an insecure site--say, Gawker Media--and then brute-force it against other sites. (In my defense, my most important accounts--my e-mail, my banking, my Web administration--use unique names and passwords.)

In an era when you have to register a user ID and password to just to tell some random person on the Internet that they're wrong, it's virtually impossible to create passwords that meet the target of being "easy to remember, hard to guess."

Most modern Web browsers have a basic password-save feature, but looking outside the browser to specialized programs is usually a better bet. KeePass, a free and open-source program, offers a lot of tools and options for far more than just Web passwords. It has a nice system of categories (which you can extend with subcategories) for organizing passwords; it also supports third-party plug-ins and even scripts. Thanks to one free/donationware plug-in, Clockwork's Firefox to KeePass Converter, I was able to import all my stored Firefox passwords, which is crucial for getting me to actually use a program like this.

That brings me to Password Safe, another free and open-source tool. Password Safe has an import feature, but it requires that you use its XML or CSV formats, which are not the ones that the most popular password-export plug-ins for Firefox typically use. It claims to support KeePass exports, but I tried both the XML and CSV export formats from KeePass, and neither worked. Password Safe is also less feature-rich than KeePass, and since they're both free, it's hard to give the advantage to Password Safe at this point.

My favorite of the three password-management programs I tested, though, is Sticky Password, which is the only one that costs money (although it does have a 30-day free trial). It has the best browser-integration features, requiring no hoops to jump through and offering support for a wide range of common and obscure browsers. The downside of a commercial program is not just price (which is reasonable, but not cheap, at $30), but risk: Open-source programs have many eyes upon them, looking for exploits and verifying that no backdoors exist. A program in this niche is asking you to put an awful lot of valuable information in one place, and that's a high level of trust when someone is handing you a black box. That said, there's no reason to believe Sticky Password isn't secure and safe; it's up to you to decide what level of paranoia you feel comfortable with.

Password managers and the next category of tools, disk-encryption utilities, share a common strength and flaw: a single point of failure. A password manager has its own master password, of course--and if that becomes known, everything becomes known. Going by the premise that you need to remember only one such password, ever, you can--and should--make a very long and complicated "strong" master password. Don't put it on a sticky note on your monitor, either. If your system is not secured, however, any keylogger or other piece of malware can grab that master password, no matter how cunning it is. Although brute-force attacks are possible if your computer has been physically seized, you're much more likely to face attacks in the form of spyware or social engineering than a supercomputer churning out a million keys a second.

Encryption Reserves Data for Your Eyes Only

Disk-encryption software protects what's on your hard drive by turning it into a mass of unreadable gibberish, something even more difficult to read than the comments section on YouTube. You can use such a tool to encrypt an entire drive, or to create an encrypted file that the computer can then mount as a virtual drive. The encryption software sits between your applications and the encrypted disk, encrypting and decrypting on the fly; the applications are not aware that the information they're using is encrypted.

Usage tip: If a hacker--or, say, just a nosy coworker--acquires access to your computer when an encrypted volume is mounted and the person has the ability to see the volume as a drive, the snoop will be able to read or copy files from the volume just as they would from an unencrypted drive; they may not even know that the drive is encrypted. If the encrypted data is not mounted, however, it appears as an undifferentiated lump of random characters. The following two utilities, BestCrypt and TrueCrypt, both support options to dismount a drive automatically after a user-defined period of inactivity.

Jetico's BestCrypt ($60, free trial) is a commercial encryption package. In its basic form, it offers only container-based encryption; full-disk encryption costs more. BestCrypt contains tools to organize your containers into groups, so you might have many small containers with different passcodes, instead of one big container. TrueCrypt, a free and open-source (donationware) product, lacks such organizational features (though you can make as many volumes as you like), and has a more spartan interface; it gives you full-disk encryption, however, as well as features designed to keep data secure even if you're forced to provide a key. A detailed documentation file covers not just usage information but also explanations for what TrueCrypt does and how it works, letting users make informed decisions about settings and options.

Another free encryption tool, FreeOTFE (On The Fly Encryption), has several features designed to make it particularly useful for situations in which you can't install the software: a "portable mode," which requires administrator access but no installation, and a separate but compatible (can read the same encryption) program called FreeOTFE Explorer that needs no drivers at all. Speaking of drivers, FreeOTFE will work on 64-bit Vista and Windows 7 systems, but because its drivers are not signed and thus run afoul of Windows security, you must jump through quite a few hoops to get them to work, most of which require disabling driver-signature verification.

All of the disk-encryption programs mentioned above support the SISWG IEEE P1619 standard, which is currently considered to provide a balance between speed and resistance to attacks based on tweaking data. In addition, many companies consider compliance with an IEEE standard to be a "checkmark" item when evaluating software. Each of the utilities supports other encryption formats as well; it's best to study your options and understand the strengths and weaknesses of each format, depending on your needs. For most users the default choices will be fine.

Next page: Set your data to self-destruct

Set Your Data to Self-Destruct When You're Done With It

The final component of securing your data is making sure that any files you want dead are really most sincerely dead, and for this task you must turn to disk- and file-removal tools. Using the standard Windows Recycle Bin merely removes the visible reference to the file and marks the space as available; Windows does not truly delete any data until something overwrites that data, and may leave large chunks of recoverable data visible. Those leftover chunks allow undelete and file-recovery tools to work; the trade-off when you use strong file-removal tools is that you won't be able to restore accidentally zapped data easily, unless you've previously backed it up on another source.

"Secure" deletion is the subject of much discussion. A 1996 paper by Peter Gutmann of the University of Auckland produced a value of 35 passes, but these days that number is generally considered far too high due to increases in drive density. The "35 passes" number has become, in the words of the author of the original study, "a voodoo incantation"--but it's often a standard in many workplaces nonetheless. The programs discussed here all support a variety of data-erasure algorithms, including the 35-pass "Gutmann" standard.

The free and open-source File Shredder utility allows you to select files or folders to be deleted, or it can wipe free space with several different algorithms. Although I experienced no issues with it, development on it has ceased, which makes it a risky choice as file formats evolve; new disk formats, security changes, and file systems appear fairly regularly, so a lack of active support can mean security problems. Also free (but not open-source) is CCleaner, a suite of system-scrubbing utilities that sweeps up temp files, cookies, recently opened file lists, Registry clutter, and more. It offers the ability to scrub free space or to wipe complete volumes, as well as the freedom to choose specific files or folders (and specific file types, such as all *.xls files in a given folder) or to exclude specific files from general rules.

The SecureClean commercial package ($50, 15-day free trial) has a wide range of functions arranged around the task of scrubbing unwanted data, from deleted files to Explorer search terms. It produces detailed reports, turning up quite a number of tiny file fragments cluttering up space, some of which contain readable data. It also adds a right-click menu option to erase a file securely, always a nice touch. However, I encountered a fairly serious flaw: When the scanner reached a file with non-English characters in the name, it would simply hang. This problem can manifest in surprising ways; I discovered it because SecureClean balked at the foreign-language templates in a desktop publishing program I use. This is a known bug in SecureClean 4 running on Windows 7 64-bit machines, and the vendor plans to fix it in the upcoming version 5.

Finally, sometimes you just want everything gone, such as when you're recycling or donating an old system. CCleaner has a drive-wipe function, but you might also check out the descriptively named Darik's Boot and Nuke, aka DBAN. This is a straightforward program, as it comes as an ISO disc-image file. You burn the image, and then boot a computer with that disc; the utility then seeks out and destroys all data on the computer's hard drives.

My personal pick for a password tool is Sticky Password, but KeePass is a very close second and might jump ahead over time. TrueCrypt offers all the features I want in disk encryption, at the unbeatable price of "nothing." For secure erasure, I use a feature of Directory Opus (a Windows Explorer replacement) for actual file deletion, but CCleaner's long list of other functions makes it a keeper as well.