Monday, 26 August 2019

security - Is zip's encryption really bad?


The standard advice for many years regarding compression and encryption has been that the encryption strength of zip is bad.


Is this really the case in this day and age?


I read this article about WinZip (it has had the same bad reputation). According to that article the problem is removed provided you follow a few rules when choosing your password.



  1. At least 12 characters in length

  2. Be random not contain any dictionary, common words or names

  3. At least one Upper Case Character

  4. Have at least one Lower Case Character

  5. Have at least one Numeric Character

  6. Have at least one Special Character e.g. $,£,*,%,&,!


This would result in roughly 475,920,314,814,253,000,000,000 possible combinations to brute force


Please provide recent (say past five years) links to back up your information.



Answer



The weakness of the old encryption was due to the weakness of the chosen encryption algorithm.


Nowadays one can use industry grade encryption via 'AES', which is used everywhere (and is under heavy attack but as it seems pretty hard to attack). As the site you cited stated: the weakest spot is in the passphrase and the rules you mentioned especially address that problem.


Theses rules do not apply to the passphrase for the old encryption, since that old encryption was very weak in itself, no matter if you choose a good password or not.


The statement of



the problem is removed provided you follow a few rules when choosing your password.



is not true, since the real solution to encrypt ZIP files securely is to choose a strong encryption algorithm AND a strong password. The strongest password is worth nothing if the encryption algorithm is weak.


Read also http://www.info-zip.org/FAQ.html#crypto and http://www.topbits.com/how-can-i-recover-a-zip-password.html


No comments:

Post a Comment

How can I VLOOKUP in multiple Excel documents?

I am trying to VLOOKUP reference data with around 400 seperate Excel files. Is it possible to do this in a quick way rather than doing it m...