Strength of Zip archive password

dc2000 · 10 May 2013

I like making backups of my files on cloud services, for instance SkyDrive and Dropbox. (I have their apps running on my Windows 7 machine that sync two of my local folders.) But the question that I always had in mind is -- what about security of those services? It doesn't seem like either of them provide any encryption for its free accounts.

So what I came up with is a solution to use WinRAR to zip my files into a password protected Zip file before letting it to be uploaded to the cloud. For that I use a password, similar to something like this: "SomRaNdemWerdz23448"

So the question I have, how easy is to to break into a Zip archive created on a Windows 7 system that is protected with a decent-length password?

Golden · 10 May 2013

Encryption
.ZIP supports a simple password-based symmetric encryption system which is documented in the .ZIP specification, and known to be seriously flawed. In particular it is vulnerable to known-plaintext attacks which are in some cases made worse by poor implementations of random number generators.[26]
New features including new compression and encryption (e.g. AES) methods have been documented in the .ZIP File Format Specification since version 5.2. A WinZip-developed AES-based standard is used also by 7-Zip, XCeed, and DotNetZip, but some vendors use other formats.[27] PKWARE SecureZIP also supports RC2, RC4, DES, Triple DES encryption methods, Digital Certificate-based encryption and authentication (X.509), and archive header encryption.[28]
File name encryption is introduced in .ZIP File Format Specification 6.2, which encrypts metadata stored in Central Directory portion of an archive, but Local Header sections remain unencrypted. A compliant archiver can falsify the Local Header data when using Central Directory Encryption. As of Version 6.2 of the specification, the Compression Method and Compressed Size fields within Local Header are not yet masked.

Zip (file format) - Wikipedia, the free encyclopedia

Personally, I prefer 7ZIP and its .7z format, which uses 256 bit AES encryption.

7z - Wikipedia, the free encyclopedia

Britton30 · 10 May 2013

I once experimented with a "rar password cracker" on a Winrar file I made for the purpose. It wasn't a particularly strong password but the software said it would have taken over 2 years of searching to find it. I suspect that serious decrypters and hackers have much more sophisticated programs than a free one.

I also trust and use 7-Zip for anything sensitive in nature.

Alejandro85 · 11 May 2013

An alternative may be to use a serious, specialized encryption program to handle the security and keep WinRar/7Zip/whatever for compression only. What I would do is to pack the files with WinRar at highest compression, but unencrypted, then store the .rar file in a TrueCrypt container that provides strong security, and upload the container instead.

Anyway, if your data is so important and confidential, I would think twice before uploading anywhere. No matter how strong it is, encryption algorithms can ALWAYS be reversed, given the time and processing power, and by having your files in someone else machine you effectively lose control on who can get it. For really critical data, keep it with yourself, and backup only to devices and computers you can physically control. Encryption makes sneaking harder, but ultimately possible, so you're giving all the info away regardless.