How secure is Winzip's 256 bit encryption?

[Skoorb]

I lost a USB drive, I think. It had some stuff on there - nothing crazy - but, for instance, a file with some passwords to websites I visit (obviously nothing that's really all that important). I encrypted it with winzip's 256 bit encryption and a very nice password. Is this a true encryption technique that winzip uses - ie. it would require the typical brute force approach that other 256 would require, thus making it for all intents and purposes totally unbreachable?

http://eprint.iacr.org/2004/078.pdf This is an indepth discussion of Winzip's security. It covers some of the weak points, but my interpretation, after reading the first 1/3, is that somebody with my winzip file, though able to read the content's names (I knew that) will be unable to actually access what is within them.

[skullfullomagots]

I rememebered that I had forgotten the password for a personal rar-ed file and I tried to crack the passowrd which was 256 bit encrypted. Man, the cracker just denied to help me.

So, I think you dont have to worry unless someone knows you have your bankaccount code stored in there so it makes it worth the f/&%in' effort to crack the password.

[Skoorb]

It's got some pics of a family vacation, and otherwise everything on it was encrypted. They can read the file names - the "worst" being my passwords file and then my 2003 tax return, but even if somebody got them I wouldn't care that much, and if they can get around the 256 encryption, hell all the power to them

[pacmania_2001]

It'll keep most people out.

I wouldn't worry too much but if you do want to lower the chances I'd post a $20 buck reward for its return, thats of course, if you know the general area that it was lost.

[vitualis]

I think the stronger Winzip encryption is fine though it is not compatible with other "ZIP" capable programs.

The older/original ZIP encryption (i.e., universally compatible) is weak. You can download tools on the internet to crack it.

It is suspectable to brute force dictionary type attacks as well as a true cryptographic method as well.

Regards.

[AlinaVastag84]

There`s no way to extract Paswords from a winzip archive. The only way to find passwords is to use "brut force" of a good computer (test every number & letter in all possible combinations) with a program I used few years ago .The password configures the way WINZIP scrambles information in compressing method ,so, it`s no way you can find it hidden in the archive because it simply isn`t there. If the password is longer then 6 caracters you`ll have to wait maybe severall hours of computer work...if the password is longer then 9 caracters maybe days...

[Skoorb]

There`s no way to extract Paswords from a winzip archive. The only way to find passwords is to use "brut force" of a good computer (test every number & letter in all possible combinations) with a program I used few years ago .The password configures the way WINZIP scrambles information in compressing method ,so, it`s no way you can find it hidden in the archive because it simply isn`t there. If the password is longer then 6 caracters you`ll have to wait maybe severall hours of computer work...if the password is longer then 9 caracters maybe days...

Yeah, I heard that the old winzip "encryption" was not very good, and easy to break. As long as Winzip properly implemented its 256 bit encryption though it would not even be feasible for a super computer to break it any time soon. Hopefully it did

As an aside, what do others here use for this sort of thing? I just need to have files local to me and as secure as possible. I know XP has something built in, but that seems a bit of a hassle to use. I'd want something as easily accessible as possible, while still being for all intents and purposes unbreakable.

[redwudz]

I d/I'd a file that was encrypted. Just for the hell of it I tried a .rar decrypting program. It said 56hrs projected with brute force method. I ran it for three days. No luck. Depending on how many characters the password is and how convoluted., (combo of symbols, numbers, alphabet) and how fast your system is, really an enormous task.

If you have a file you don't want decrypted, go for a complex password. Numbers, symbols, alphabet. More is better. Just make sure you write the PS down, or nobody, including you, will crack it.

The average person that finds a hardware device with files on it will hopefully try to return it, or may try to open it once or twice. If that doesn't work they will either reformat it or throw it in the trash. If they don't know what's on it, they won't go to any effort.

There are plenty of security sites on the web. If you want to really find out about encryption and password security, check them out.

[vitualis]

Read what I read before.

If you try to crack the older Winzip encryption with "brute" force, you are well worth your while to try a dictionary attack first (i.e., rather than cycle through every single combination of characters, it tries a vast database of WORDS first).

Most people use a "word" for their password. If so, it will probably get broken in SECONDS.

If you use a LONG password with letters and numbers (i.e., something that can't be cracked using a dictionary search), it will take a relatively long time to crack on a PC.

As I also stated before though, the older Winzip encryption method was also subject to a different type of cryptographic attack (NOT brute force). Do a Google search on it -- there was a paper written on it and I was pretty sure that there was beta software released as well. You did need a "crib" though (i.e., some known ciphertext) for the attack to work. It is this second attack which makes the Winzip encryption system ultimately weak as it isn't dependent on your "key strength".

Regards.

[gll99]

It's got some pics of a family vacation, and otherwise everything on it was encrypted. They can read the file names - the "worst" being my passwords file and then my 2003 tax return, but even if somebody got them I wouldn't care that much, and if they can get around the 256 encryption, hell all the power to them

I used to zip my account information in a password protected zip and then rezipped this file using another complex password. It prevented anyone from seeing the individual file names. I don't keep any such info on my computer anymore so only my firewall is locked.
Storing a few dummy password protected zip files in the same directory with your valuable info will deter anyone from trying. If you put 9 more files then they have a one in ten chance of hitting the right file even if they managed to crack one.