43
10
In modern zip utilities like 7zip, you can specify a password when creating a .ZIP file. But, how secure is this? What encryption algorithm(s) are used to secure password-protected zip files?
Justin Ethier
Posted 2010-04-10T12:01:49.467
Reputation: 1 371
39
7-zip uses AES-256 encrpytion for 7z/zip archives.
http://7-zip.org/7z.html says:
7-Zip also supports encryption with AES-256 algorithm. This algorithm uses cipher key with length of 256 bits. To create that key 7-Zip uses derivation function based on SHA-256 hash algorithm. A key derivation function produces a derived key from text password defined by user. For increasing the cost of exhaustive search for passwords 7-Zip uses big number of iterations to produce cipher key from text password.
The help files of 7-zip says this about the security of a passworded 7z file:
Om Nom Nom
Posted 2010-04-10T12:01:49.467
Reputation: 1 285
5
Brute force attacks are a waste of time. I won't go into details why, I will instead direct you to Jeff Atwood's blog, he has an excellent post.
Mircea Chirea
Posted 2010-04-10T12:01:49.467
Reputation: 1 365
0
As secure as the length of the password:
From my personal experience trying to crack 7zip, password protected files by the combo of dictionary and brute-force attack the way to go is:
idiot123) 10^3*200kBoston777) 10^3*200kIf above didn't fly you have less than 1 in 10 to crack with following (using cRARk).
All numbers (0-9) 9 digits long (10^9) - will take about a day, will unlock all pins (4-5 digits) and all dates(20191111, 10102019)
Latin lower and digits (a-z0-9) 6 symbols (25^6) will take about 2 days, have cracked some this way (asdfaf)
Latin lower and upper and digits and . and - (a-zA-Z0-9.-) 5 symbols (60^5) will take another day, have scored some (A.1983)
After this point, it's a longshot (Nowadays I stop here)
After this point just give up, lol
Matas Vaitkevicius
Posted 2010-04-10T12:01:49.467
Reputation: 963
7Brute force attacks aren't always a waste of time, most users don't put an awful lot of thought into passwords, and a dictionary attack against the password they use can be a very effective way to decrypt a file. A brute force attack is only a waste of time (at present it becomes easier by the year) against a secure key. – Mike1980 – 2010-04-10T17:21:41.687
5A brute force attack is a waste of time. Dictionary attacks are not brute force, and are a LOT faster than trying every possible combination of a set of characters up to a specific length. – Mircea Chirea – 2010-04-10T21:10:34.853
+1 For posting a link to a blog with a link to a blog with that discusses an email that pertains to the original question. – Oorang – 2010-07-25T00:36:58.067
@Oorang, I did that on purpose :P – Mircea Chirea – 2010-07-26T07:26:56.420
@iconiK, And it was awesome. – Oorang – 2010-07-26T16:24:19.507
Jeff Atwood is a smart guy, but his article was written in 2006, and he didn't quite have a grasp of the fundamentals like we do now with dictionary attacks, password frequency, rainbow tables, etc. – zylstra – 2018-02-02T20:05:56.117