* Can you password protect FH7 projects?

Questions regarding use of any Version of Family Historian. Please ensure you have set your Version of Family Historian in your Profile. If your question fits in one of these subject-specific sub-forums, please ask it there.
Post Reply
User avatar
GeneSniper
Superstar
Posts: 388
Joined: 06 Dec 2016 20:40
Family Historian: V7
Location: East Kilbride, Lanarkshire, UK

Can you password protect FH7 projects?

Post by GeneSniper »

I had a few emails from Microsoft about 'Unusual sign-in activity' over the last week or so (Ends up it was to do with my wife who was on holiday), but it got me thinking about my Family Trees. What if someone did get access to my PC, they would have access to my family tree which has quite a bit of personal information in it including birth & marriage certificates etc and the information on them. It then got me thinking about how could I protect this information? Is there a way to password protect projects and backups?

In this day in age when most things are done on line, applying for most things just requires digital copies of proof of ID, not the physical hard copy. I realised that I keep all of this information in the Microsoft Personal Vault on OneDrive (so encrypted behind extra Password & 2 factor protection), only to realise that some of it is stored unencrypted and open to anyone with access to my laptop via my FH7 projects and backups. I am thinking of moving my projects into the Vault, but I am not sure if that will cause issues using FH.
William

* Illegitimi non carborundum *
User avatar
tatewise
Megastar
Posts: 28594
Joined: 25 May 2010 11:00
Family Historian: V7
Location: Torbay, Devon, UK
Contact:

Re: Can you password protect FH7 projects?

Post by tatewise »

Personally, I would be far more concerned about other more sensitive details held on my PC than BMD Certificates, which are already in the public domain for anyone to retrieve from the GRO.

Various bio and 2-factor authentication methods can already protect PC access.

IMO: The Microsoft 'Unusual sign-in activity' is yet another useful warning about legitimate PC access but in an unusual location. It is very different from access protection.

Perhaps you need to experiment by copying the Family Historian Sample Project to the OneDrive Vault and see how it behaves. I suspect you may have to supply the Vault pass codes each time FH is opened.
I assume you have a OneDrive/MS 365 subscription otherwise OneDrive capacity is limited to 5GB and only 3 files are allowed in the Vault.
Mike Tate ~ researching the Tate and Scott family history ~ tatewise ancestry
User avatar
NickWalker
Megastar
Posts: 2648
Joined: 02 Jan 2004 17:39
Family Historian: V7
Location: Lancashire, UK
Contact:

Re: Can you password protect FH7 projects?

Post by NickWalker »

If your Microsoft account is protected by MFA (multi-factor authentication) and presumably your laptop requires a complex password, or biometrics or long not guessable PIN (6 or more digits) then it would be difficult for someone taking your laptop to access the data. As soon as you realise your laptop has been stolen, logging into your Microsoft account from another device (e.g. your phone), would allow you to change the password and force logout on all devices. Assuming bitlocker (disk encryption) is enabled on your laptop then removing the hard drive won't help the thief either. I would also add that a criminal is very unlikely to be interested in any data in the family tree on your computer. Assuming they can't easily access your credit card details, etc. on the laptop, they would almost certainly be looking to wipe and reformat the drive so it can be quickly sold on. If they do gain access they may also try to send 'phishing' emails (or social media messages) to your contacts to see if they can extract money from them by pretending to be you. But I don't think they will be looking at your family history.
Nick Walker
Ancestral Sources Developer

https://fhug.org.uk/kb/kb-article/ancestral-sources/
User avatar
Mark1834
Megastar
Posts: 2564
Joined: 27 Oct 2017 19:33
Family Historian: V7
Location: South Cheshire, UK

Re: Can you password protect FH7 projects?

Post by Mark1834 »

Bear in mind how much personal data is already in the public domain - as well as the Civil Registration records, there are also wills (Probate Office), property ownership (Land Registry), full address and month of birth (Companies House for the relatively high proportion of older middle-income people who have some form of directorship - come to think of it, that’s probably this forum profile as well :))…

And that’s without what people publish voluntarily (family trees, LinkedIn and other social media profiles)…
Mark Draper
User avatar
GeneSniper
Superstar
Posts: 388
Joined: 06 Dec 2016 20:40
Family Historian: V7
Location: East Kilbride, Lanarkshire, UK

Re: Can you password protect FH7 projects?

Post by GeneSniper »

And yet my old employers, old pension supplier (shouldn't have had my information anymore) had a cyber attack and lost less of my information than is held on my family tree. There has been five attempts to use that information to get loans and open accounts from various banks and mobile companies.

I take it from the answers that there is no way to password protect/encrypt a project or backup and my OneDrive Vault solution is probably the only solution.
William

* Illegitimi non carborundum *
User avatar
NickWalker
Megastar
Posts: 2648
Joined: 02 Jan 2004 17:39
Family Historian: V7
Location: Lancashire, UK
Contact:

Re: Can you password protect FH7 projects?

Post by NickWalker »

GeneSniper wrote: 02 Jun 2024 15:02 And yet my old employers, old pension supplier (shouldn't have had my information anymore) had a cyber attack and lost less of my information than is held on my family tree. There has been five attempts to use that information to get loans and open accounts from various banks and mobile companies.

I take it from the answers that there is no way to password protect/encrypt a project or backup and my OneDrive Vault solution is probably the only solution.
There is a big difference between a pension supplier, an organisation with a database of thousands of people of monetary value and an individual who had a computer with some family history data on it.

As I said in my answer, your data is already password protected and hopefully MFA protected and encrypted.
Nick Walker
Ancestral Sources Developer

https://fhug.org.uk/kb/kb-article/ancestral-sources/
User avatar
tatewise
Megastar
Posts: 28594
Joined: 25 May 2010 11:00
Family Historian: V7
Location: Torbay, Devon, UK
Contact:

Re: Can you password protect FH7 projects?

Post by tatewise »

Correct, there is no mechanism in FH to encrypt Projects or their Backups.
There are free software packages that encrypt files, but since OneDrive Vault is already available why not use it?
Mike Tate ~ researching the Tate and Scott family history ~ tatewise ancestry
User avatar
GeneSniper
Superstar
Posts: 388
Joined: 06 Dec 2016 20:40
Family Historian: V7
Location: East Kilbride, Lanarkshire, UK

Re: Can you password protect FH7 projects?

Post by GeneSniper »

NickWalker wrote: 02 Jun 2024 17:09
There is a big difference between a pension supplier, an organisation with a database of thousands of people of monetary value and an individual who had a computer with some family history data on it.

As I said in my answer, your data is already password protected and hopefully MFA protected and encrypted.
[/quote]

You should check out your Recent Sign-In Activity on your Microsoft Account it may shock some. As you said I am not a giant pension company with thousands of people on my PC but here is a screen shot of who is interested in getting in to have a look.
Screenshot 2024-06-03 160833.png
Screenshot 2024-06-03 160833.png (60.63 KiB) Viewed 1236 times
I feel my data is quite secure with everything I do but another level of security on a database with personal information of many people on it is maybe not a bad thing.
William

* Illegitimi non carborundum *
User avatar
GeneSniper
Superstar
Posts: 388
Joined: 06 Dec 2016 20:40
Family Historian: V7
Location: East Kilbride, Lanarkshire, UK

Re: Can you password protect FH7 projects?

Post by GeneSniper »

FYI

I spoke to someone I know who works for Microsoft and his advice that he would give to anyone is to set a new never used before alias on your email account and if it's Outlook.com then make it your Primary login address for your Microsoft Account and never use for anything other than signing in to your Microsoft account. That way the email address is never in the wild through any means, unscrupulous vendor, cyber attack etc (unless of course it is MS who get hacked :shock: . That way no one is going to get your login email address and start probing lots of accounts.
William

* Illegitimi non carborundum *
User avatar
Anthias
Newbie
Posts: 3
Joined: 17 May 2021 22:22
Family Historian: V7

Re: Can you password protect FH7 projects?

Post by Anthias »

That's also why I use throw-away email addresses rather than just one email for everything. I am using over 300 different email addresses and counting, just another level of security.

Also, I use a password manager so all of my passwords are usually 16 random characters and letters.
User avatar
davidf
Megastar
Posts: 956
Joined: 17 Jan 2009 19:14
Family Historian: V6.2
Location: UK

Re: Can you password protect FH7 projects?

Post by davidf »

Anthias wrote: 03 Jun 2024 16:17 ...
Also, I use a password manager so all of my passwords are usually 16 random characters and letters.
If using a password manager, there is no harm in going for more than 16 characters, password cracking routines are getting faster and faster and with truly random characters you just cycle through all possibilities...

If I was writing such a routine, I would get it to
try all 8 character combinations
try all 12 character combinations
try all 16 character combinations
and so on for all the commonly recommended password lengths

A 43 character password might be more difficult (timewise) to crack and in terms of cracked passwords per second of machine time not very effective - when trying to crack 12 or 16 character passwords may give a greater yield?

David
David
Running FH 6.2.7. Under Wine on Linux (Ubuntu 22.04 LTS + LXDE 11)
User avatar
NickWalker
Megastar
Posts: 2648
Joined: 02 Jan 2004 17:39
Family Historian: V7
Location: Lancashire, UK
Contact:

Re: Can you password protect FH7 projects?

Post by NickWalker »

davidf wrote: 07 Jun 2024 12:44 If using a password manager, there is no harm in going for more than 16 characters, password cracking routines are getting faster and faster and with truly random characters you just cycle through all possibilities...

If I was writing such a routine, I would get it to
try all 8 character combinations
try all 12 character combinations
try all 16 character combinations
and so on for all the commonly recommended password lengths

A 43 character password might be more difficult (timewise) to crack and in terms of cracked passwords per second of machine time not very effective - when trying to crack 12 or 16 character passwords may give a greater yield?

David
But assuming the email account or MS/Apple/Google, etc. login is protected by MFA, trying passwords won't work unless you've authorised them with your MFA phone app (or with your physical key, etc.). And even if you did somehow get past the MFA, the account will lock out for a while after a number of failed login accounts. So a 16 character password with MFA should be very safe. There is far more danger in someone fooling you into entering your password into a fake website or tricking you into accepting an MFA request via phishing. It's generally the users who are the weakest link in the security chain.
Nick Walker
Ancestral Sources Developer

https://fhug.org.uk/kb/kb-article/ancestral-sources/
User avatar
NickWalker
Megastar
Posts: 2648
Joined: 02 Jan 2004 17:39
Family Historian: V7
Location: Lancashire, UK
Contact:

Re: Can you password protect FH7 projects?

Post by NickWalker »

And actually even if you just had a 16 character random password and there were was no MFA or lockouts to stop you, then assuming the characters can be upper, lower, digits and other characters, with current computers it would take trillions of years to crack. The combinations are just too massive. If you just used capitals it might take just a few thousand years.
Nick Walker
Ancestral Sources Developer

https://fhug.org.uk/kb/kb-article/ancestral-sources/
User avatar
GeneSniper
Superstar
Posts: 388
Joined: 06 Dec 2016 20:40
Family Historian: V7
Location: East Kilbride, Lanarkshire, UK

Re: Can you password protect FH7 projects?

Post by GeneSniper »

NickWalker wrote: 07 Jun 2024 16:52 And actually even if you just had a 16 character random password and there were was no MFA or lockouts to stop you, then assuming the characters can be upper, lower, digits and other characters, with current computers it would take trillions of years to crack. The combinations are just too massive. If you just used capitals it might take just a few thousand years.
It only takes thousands or trillions of years if it is the last guess, they could always hit the jackpot first guess. I always laugh when these figures get banded about, remember it's a 1:45,000,000 chance of winning the Lotto, but someone eventually wins it and they only have one or two lines. So without MFA a 100 letter password is crackable with a lucky guess.

I started this topic thinking about my information on my laptop, but over the last few days I have also thought about transporting it (I do use an encrypted memory key, but others may not) and that is where a password protected tree would be most beneficial.
William

* Illegitimi non carborundum *
User avatar
NickWalker
Megastar
Posts: 2648
Joined: 02 Jan 2004 17:39
Family Historian: V7
Location: Lancashire, UK
Contact:

Re: Can you password protect FH7 projects?

Post by NickWalker »

GeneSniper wrote: 07 Jun 2024 19:54
NickWalker wrote: 07 Jun 2024 16:52 And actually even if you just had a 16 character random password and there were was no MFA or lockouts to stop you, then assuming the characters can be upper, lower, digits and other characters, with current computers it would take trillions of years to crack. The combinations are just too massive. If you just used capitals it might take just a few thousand years.
It only takes thousands or trillions of years if it is the last guess, they could always hit the jackpot first guess. I always laugh when these figures get banded about, remember it's a 1:45,000,000 chance of winning the Lotto, but someone eventually wins it and they only have one or two lines. So without MFA a 100 letter password is crackable with a lucky guess.
I'm sorry that's just not comparable. You are more likely to win the lottery jackpot for many weeks in a row than to guess a 100 letter password. It is so close to being impossible that it is not something you or anyone would ever need to worry about!
I started this topic thinking about my information on my laptop, but over the last few days I have also thought about transporting it (I do use an encrypted memory key, but others may not) and that is where a password protected tree would be most beneficial.
How long would the password be that you would be using to protect the file? What if someone guesses it on the first try?
Nick Walker
Ancestral Sources Developer

https://fhug.org.uk/kb/kb-article/ancestral-sources/
User avatar
Mark1834
Megastar
Posts: 2564
Joined: 27 Oct 2017 19:33
Family Historian: V7
Location: South Cheshire, UK

Re: Can you password protect FH7 projects?

Post by Mark1834 »

It's easy for people with (presumably) no training in mathematics or statistics to bandy around these large numbers without any real understanding of their magnitude, but to put it into context, even a 12 character random password based on 50 different characters (numbers, letters, punctuation) has more possible combinations than there have been seconds since the creation of the universe.

I don't worry about genuine random passwords being guessed. As Nick rightly emphasises, I do guard against the much more significant risks - me, sites that have my password being hacked, my phone SIM being cloned (which can nullify TFA), etc, etc....
Mark Draper
User avatar
GeneSniper
Superstar
Posts: 388
Joined: 06 Dec 2016 20:40
Family Historian: V7
Location: East Kilbride, Lanarkshire, UK

Re: Can you password protect FH7 projects?

Post by GeneSniper »

Guys

I wasn't having a go at anyone's figures, I was just pointing out that you have to start somewhere when guessing and if that somewhere is your password then it's done in one guess. If every algorithm started at (a) then we would all start our passwords with a (z) . I fully understand that if I was someone going to try and crack a password and thought about how many combinations there is , I'd just go out pinching iPhones from clots who leave them lying on tables or their back pockets :D . Even the thought of how many possible guesses you have got to make at a 4 digit pin on a bank card should be enough to put someone off, but the scrotes will still have their 3 guesses, just in case they hit the jackpot.

I really don't think someone would bother with my family tree if it was encrypted and had an 8 character password on a laptop with no password but I do think they would be interested in one with no password.
William

* Illegitimi non carborundum *
User avatar
mjashby
Megastar
Posts: 727
Joined: 23 Oct 2004 10:45
Family Historian: V7
Location: Yorkshire

Re: Can you password protect FH7 projects?

Post by mjashby »

This subject seems to have exercised minds greatly, but I'm not sure I get it at all, especially as the specific merits (or otherwise) of passwords seems to me to be largely irrelevant.

If someone wants to encrypt any data then there is no shortage of options, many being 'free' to use and highly reliable if set up correctly; plus, of course, providing that the user data is stored in the locations recommended by software and operating system providers, all user data should already be protected by a "strong system password"; and/or possibly additional bio-metric data (fingerprint recognition, facial recognition, image recognition, other 2 X Factor Authentication etc., etc.). In contrast, backups saved to external media may often be completely open to scrutiny (unencrypted), even when the PC-based data is far more heavily protected by encryption. It's just my opinion, but specifically encrypting a family history database, without it being part of a much more comprehensive data protection 'system', would be a complete and frustrating waste of a user's time and effort.

What proportion of users would be likely to accept the experience of having to enter a specific decryption key every time they launch an application that is capable of viewing or editing a family history data file, or any of the media linked to that file, bearing in mind that Family Historian and many other family history applications do store their data in a human readable format and 'potentially sensitive' media may be viewed by a very wide range of applications.

Mervyn
Post Reply