53

In modern zip utilities like 7zip, you can specify a password when creating a .ZIP file. But, how secure is this? What encryption algorithm(s) are used to secure password-protected zip files?

Justin Ethier
  • 1,521
  • 2
  • 15
  • 14

3 Answers3

44

7-zip uses AES-256 encrpytion for 7z/zip archives.

http://7-zip.org/7z.html says:

7-Zip also supports encryption with AES-256 algorithm. This algorithm uses cipher key with length of 256 bits. To create that key 7-Zip uses derivation function based on SHA-256 hash algorithm. A key derivation function produces a derived key from text password defined by user. For increasing the cost of exhaustive search for passwords 7-Zip uses big number of iterations to produce cipher key from text password.

The help files of 7-zip says this about the security of a passworded 7z file:

7z

Gaff
  • 18,569
  • 15
  • 57
  • 68
Om Nom Nom
  • 1,345
  • 1
  • 10
  • 9
4

Brute force attacks are a waste of time. I won't go into details why, I will instead direct you to Jeff Atwood's blog, specifically Brute Force Key Attacks Are for Dummies.

U. Windl
  • 492
  • 4
  • 25
Mircea Chirea
  • 1,403
  • 1
  • 19
  • 26
  • 8
    Brute force attacks aren't always a waste of time, most users don't put an awful lot of thought into passwords, and a dictionary attack against the password they use can be a very effective way to decrypt a file. A brute force attack is only a waste of time (at present it becomes easier by the year) against a secure key. – Mike1980 Apr 10 '10 at 17:21
  • 6
    A brute force attack is a waste of time. Dictionary attacks are not brute force, and are a LOT faster than trying every possible combination of a set of characters up to a specific length. – Mircea Chirea Apr 10 '10 at 21:10
  • +1 For posting a link to a blog with a link to a blog with that discusses an email that pertains to the original question. – Oorang Jul 25 '10 at 00:36
  • @Oorang, I did that on purpose :P – Mircea Chirea Jul 26 '10 at 07:26
  • @iconiK, And it was awesome. – Oorang Jul 26 '10 at 16:24
  • Jeff Atwood is a smart guy, but his article was written in 2006, and he didn't quite have a grasp of the fundamentals like we do now with dictionary attacks, password frequency, rainbow tables, etc. – zylstra Feb 02 '18 at 20:05
  • the link seems to be broken now – DrBeco Jun 24 '23 at 03:38
  • Updated link: https://blog.codinghorror.com/brute-force-key-attacks-are-for-dummies/ – JYelton Jul 22 '23 at 21:22
3

As secure as the length of the password:

From my personal experience trying to crack 7zip, password protected files by the combo of dictionary and brute-force attack the way to go is:

  1. Dictionary attack 200k^1
    1.1 dictionary attack with the first letter capitalized 200k^1
    1a. Dictionary and brute-force 3 digits at the back (idiot123) 10^3*200k
    1a.1 Dictionary with the first letter capitalized and brute-force 3 digits at the back (Boston777) 10^3*200k
    Less than an hour.

If above didn't fly you have less than 1 in 10 to crack with following (using cRARk).

  1. All numbers (0-9) 9 digits long (10^9) - will take about a day, will unlock all pins (4-5 digits) and all dates(20191111, 10102019)

  2. Latin lower and digits (a-z0-9) 6 symbols (25^6) will take about 2 days, have cracked some this way (asdfaf)

  3. Latin lower and upper and digits and . and - (a-zA-Z0-9.-) 5 symbols (60^5) will take another day, have scored some (A.1983)

After this point, it's a longshot (Nowadays I stop here)

  1. Dictionary combo 2 words 200k^2
    4.1 Dictionary combo with 2 words first letter cap 200k^2
    4.2 Dictionary combo 2 words space in between 200k^2
    4.3 Dictionary combo with 2 words first letter cap space in between 200k^2
    another two to three days

After this point just give up, lol

Matas Vaitkevicius
  • 1,179
  • 5
  • 21
  • 35