Is it safe to store my passwords in an encrypted .7z/.zip by 7-zip?

Here is what I do:

Type in all kinds of passwords in an excel file (.xlsx)

Zip it with a password by 7-zip

AES 256

length > 8

combination of A-Z a-z 0-9 symbols

different from any other password

Upload it to Dropbox or so.

Is it safe enough, as I do not want to install any additional software specifically for storing passwords? (I mean, if I insist no additional software, any safer ways?)

Be a little bit more specific:

Scenario 1:

Basically I guess no one will be interested in my passwords. Is it safe enough to prevent some casual attacks (for fun maybe) by hackers?

Scenario 2:

If the government is interested in me, and my computer may be taken, is it safe?

SUMMARY

The guy asking this question is paranoid and quite lazy (to install additional software).

AES-256 (the encryption method used by 7-zip) is nice enough to prevent any casual attempts, according to Biglig, Randolf Richardson and MaQleod.

KeePass is recommended by pepoluan in case I am not that lazy. An extended list for password management can be found in a related question on this site: How do you keep track of all your passwords?, in which KeePass is the top voted.

TrueCrypt is recommended for encrytion by Darokthar.

For scenario 2 (the government thing), Rubber-hose cryptanalysis should not be underestimated (contributed by grawity).

The question is still open to better answers. No extra password-/encryption-specific software.

user69835

Posted 2011-03-07T06:52:07.917

Reputation:

2What are your attack scenarios, i.e. what do you want to protect against? Computer-illiterate siblings or foreign (or your own) governments? – Daniel Beck – 2011-03-07T07:05:01.100

@Daniel Beck I don't know. You can consider me as paranoid. I just want to feel safe generally. – None – 2011-03-07T07:58:29.037

In case of scenario 2, never underestimate the effectiveness of rubber-hose cryptanalysis.

– user1686 – 2011-03-07T10:45:43.180

Answers

I'd personally use KeePass.

Not only KeePass has a portable version (that you can run straight off of a UFD), it's a full-featured password database, with an 'auto-type' feature so no one need to see what your password is.

pepoluan

Posted 2011-03-07T06:52:07.917

Reputation: 962

I know KeePass, which is mentioned in another question in this site. I just wonder if I insist no additional software.... – None – 2011-03-07T09:45:10.933

Hmmm... no additional software, eh? Well, when you un-encrypt your password file, you will probably use notepad to see its content someone can peek over your shoulder. Then you'd do a copy-paste some spyware/keylogger might be watching the clipboard. KeePass keeps your password hidden, plus it can bypass Ctrl-V loggers http://keepass.info/help/v2/autotype_obfuscation.html

– pepoluan – 2011-03-08T10:36:44.400

7-zip uses AES-256, which is rated acceptable for TOP SECRET documents by the NSA.

Assuming you use a strong pass-phrase that should be more than enough to persuade the attacker not to bother with trying to crack the file, but to move on immediately to beating it out of you with a wrench.

Biglig

Posted 2011-03-07T06:52:07.917

Reputation: 339

3Ha ha! That comment about the wrench is hilarious. If this happens, I strongly recommend refraining from saying something like "Oh, hello Mr. Fix It!" – Randolf Richardson – 2011-03-07T11:44:13.720

17zip's AES is plenty for scenario one. – Biglig – 2011-03-15T16:08:49.423

Scenario 2, encryption strength is not the problem. Depends where you are, but in my juristicion the cops can put me in jail if I do not tell them my password. I don't think you can make something proof against the government and stay lazy. – Biglig – 2011-03-15T16:14:37.407

If AES-256 encryption is safe enough, then 7-Zip will do that. It also provides an additional option to encrypt the filenames. If you're encrypting your data, you should probably encrypt the filenames, too.

Randolf Richardson

Posted 2011-03-07T06:52:07.917

Reputation: 14 002

Actually, I just name the file as homework or so.... – None – 2011-03-07T09:43:56.957

@Nate Bross, or so. I am not that stupid.... – None – 2011-03-08T01:13:21.817

It depends on your .zip Program if the encryption is secure. I would suggest using Truecrypt instead. You could create a encrypted file and store your excel file in it. For passwords I'd think it is better to have strong passwords and write them down, than using weak passwords. As long as your system is not compromised and you are using a strong password for your Truecrypt file it should be pretty safe. But i would save no online banking data in it.

If your system is compromised by a key logger it might even be better to use stored passwords than hacking them in with the keyboard. But i only would use the Truecrypt file in the dropbox for backup reasons. I don't know if dropbox uses a secure connection, if they don't the password and the file could be sniffed by an attacker. Especially if you are using WiFi HotSpots or a shared network.

Daniel Beck is right, too. You have to consider the attack scenario. If you are working for a company and have secret data it might not be a good solution, but for a normal user it is quite ok. You should change your passwords regularly though. Maybe every month or every two month. Just to be sure.

Darokthar

Posted 2011-03-07T06:52:07.917

Reputation: 1 361

I do not know about Truecrypt. 7-zip uses AES-256. To what extent is it weaker than Truecrypt? – None – 2011-03-07T09:42:47.517

Dropbox uses HTTPS for sync. – None – 2011-03-07T09:43:08.983

@Dante Jiang If Dropbox uses https this should be safe as long as both sides are not compromised (Your box and the Dropbox server). Truecrypt is an encryption program. You could basically encrypt any file with it, by putting the file in Truecrypt container. Afterwards you can mount the file like an device (it becomes LETTER: in windows explorer). Then you can open the encrypted files normal. With Truecrypt you could select which algorithm to use and you can put encrypted files in encrypted files. Furthermore you could use certificates as encryption passwords (If you are paranoid). – Darokthar – 2011-03-07T15:18:28.277

Safe-enough is relative, but generally speaking, it would not be considered secure at all and would not be advisable.

MaQleod

Posted 2011-03-07T06:52:07.917

Reputation: 12 560

2AES 256 is good, it will prevent the average user from attempting anything. If the passphrase is strong enough then you shouldn't have to worry about even more advanced attacks. I just don't agree with storing passwords on a third party service, regardless of the encryption used. – MaQleod – 2011-03-07T09:48:14.440