How secure are password-protected zip files?
Solution 1
7-zip uses AES-256 encrpytion for 7z/zip archives.
http://7-zip.org/7z.html says:
7-Zip also supports encryption with AES-256 algorithm. This algorithm uses cipher key with length of 256 bits. To create that key 7-Zip uses derivation function based on SHA-256 hash algorithm. A key derivation function produces a derived key from text password defined by user. For increasing the cost of exhaustive search for passwords 7-Zip uses big number of iterations to produce cipher key from text password.
The help files of 7-zip says this about the security of a passworded 7z file:
Solution 2
Brute force attacks are a waste of time. I won't go into details why, I will instead direct you to Jeff Atwood's blog, specifically Brute Force Key Attacks Are for Dummies.
Solution 3
As secure as the length of the password:
From my personal experience trying to crack 7zip, password protected files by the combo of dictionary and brute-force attack the way to go is:
- Dictionary attack 200k^1
1.1 dictionary attack with the first letter capitalized 200k^1
1a. Dictionary and brute-force 3 digits at the back (idiot123) 10^3*200k
1a.1 Dictionary with the first letter capitalized and brute-force 3 digits at the back (Boston777) 10^3*200k
Less than an hour.
If above didn't fly you have less than 1 in 10 to crack with following (using cRARk).
All numbers (0-9) 9 digits long (10^9) - will take about a day, will unlock all pins (
4-5digits) and all dates(20191111,10102019)Latin lower and digits (a-z0-9) 6 symbols (25^6) will take about 2 days, have cracked some this way (
asdfaf)Latin lower and upper and digits and . and - (a-zA-Z0-9.-) 5 symbols (60^5) will take another day, have scored some (
A.1983)
After this point, it's a longshot (Nowadays I stop here)
- Dictionary combo 2 words 200k^2
4.1 Dictionary combo with 2 words first letter cap 200k^2
4.2 Dictionary combo 2 words space in between 200k^2
4.3 Dictionary combo with 2 words first letter cap space in between 200k^2
another two to three days
After this point just give up, lol
Related videos on Youtube
02 : 37
10 : 15
04 : 31
06 : 11
02 : 54
Justin Ethier
Software Engineer living in the Baltimore area. Open Source Projects - A brand-new compiler that allows practical application development using R7RS Scheme. - A practical implementation of the Scheme programming language for the Haskell Platform. stack-watch - A unix command-line utility to automatically monitor Q&A activity on Stack Exchange. node-kdtree - A node.js add-on for performing efficient Nearest Neighbor searches using libkdtree. Minor contributions to many projects including jsgauge, jqGrid, Highcharts, Haskell SELinux bindings, chibi-scheme, jQuery UI Spinner, jClock, and the jQuery Validation Plugin. Featured solutions to Ruby Quiz Mexican Blanket Vehicle Counters If you develop a program for a long period of time by only adding features but never reorganizing it to reflect your understanding of those features, then eventually that program simply does not contain any understanding and all efforts to work on it take longer and longer. There is no right answer ... and always a better way. Show and discuss your code, without emotional attachment. You are not your code. Focused, hard work is the real key to success. Keep your eyes on the goal, and just keep taking the next step towards completing it. The game isn't really about big edges and firework displays; it's about subtle advantages and what happens in the long run. It is amazing what you can accomplish if you do not care who gets credit. Maybe the best programmers aren’t those who spectacularly solve crazy problems, but those who don’t create them, which is much more silent.
Updated on September 17, 2022Comments
-
Justin Ethier over 1 year
In modern zip utilities like 7zip, you can specify a password when creating a .ZIP file. But, how secure is this? What encryption algorithm(s) are used to secure password-protected zip files?
-
Mike1980 about 14 yearsBrute force attacks aren't always a waste of time, most users don't put an awful lot of thought into passwords, and a dictionary attack against the password they use can be a very effective way to decrypt a file. A brute force attack is only a waste of time (at present it becomes easier by the year) against a secure key.
-
Mircea Chirea about 14 yearsA brute force attack is a waste of time. Dictionary attacks are not brute force, and are a LOT faster than trying every possible combination of a set of characters up to a specific length.
-
Oorang almost 14 years+1 For posting a link to a blog with a link to a blog with that discusses an email that pertains to the original question.
-
Mircea Chirea almost 14 years@Oorang, I did that on purpose :P
-
Oorang almost 14 years@iconiK, And it was awesome.
-
zylstra about 6 yearsJeff Atwood is a smart guy, but his article was written in 2006, and he didn't quite have a grasp of the fundamentals like we do now with dictionary attacks, password frequency, rainbow tables, etc.
