Link to home
Start Free TrialLog in
Avatar of Andy M
Andy MFlag for Croatia

asked on

7zip password

Hello,

how secure is 7zip password protection?

Thank you
Avatar of noci
noci

Apparently for some versions not very impressive: https://www.quora.com/How-do-I-crack-a-7z-file-password
There are lot of "instant" recoover your passwords tools floating around. (for zip, rar, 7z etc.)

If you need serious encryption for any file user aespipe ( http://loop-aes.sourceforge.net )
The question is better considered as how secure you require your password to be.

For best security, you'll run zip or zstd or any other compressor, then encrypt your file with a tool like noci mentions or use openssl.

Using openssl (gold standard) provides pretty much uncrackable encryption.

If you must have 100% uncrackable encryption, then you'll use openssl to encrypt your files, then periodically rotate your passwords... meaning you decrypt + re-encrypt your file with a new password.

Normally password rotation is overkill.

To use openssl, you'll do something like this...

# encrypt
openssl $algo -in $file -out $file.encrypted

# decrypt
openssl $algo -d -in $file.encrypted -out $file

Open in new window


Where the $algo you select sets your encryption level.

If you have many large files, setting a harsh/high encryption level can produce a very long processing time.

This means you'll chose your $algo based on number of files, size of files, required encryption strength.

If you require automating this for many files, https://linuxconfig.org/using-openssl-to-encrypt-messages-and-files-on-linux provides good examples of how to pass very long passwords to openssl.

Big Note: Whether you input a password by hand or pass to openssl using STDIN, real security of your process relates to how you store your passwords.
SOLUTION
Avatar of Kimputer
Kimputer

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
As mentioned above, the best password encryption scheme is no better than the password used.  I looked at "instant crack" software last year and it's "instant" only if the password is contained in the cracking dictionary.  If the password is not in the dictionary then the programs fall back to brute-force and that takes a good long time.

If you're worried about this then encrypt twice, once in the compressor and once using a good commercial encryptor program, using long passwords that are randomly generated.
Avatar of Andy M

ASKER

7Zip  currently uses AES 256-bit encryption, the strongest version of AES. so depending upon the password length will determine how secure it is.  This password length applies to all encryption methods.

It seems secure

User generated image
andy's tables are the worst case guess timings possible. If the first attempt succeeds then it is less then 1 s.
Assume you need any of the 256 byte values to reach that times. not just characters & digits and a few from +-&*^%$...
7z is quite decent

Zip is easily crackable

Rar has used different algorithms. It used to be quite safe but i am unsure nowadays

An alternative that has not be mentionned is pgp. Which i belive tobe quite safe.

but obviously, when it comes to symmetric encryption, whatever algo used is only as safe as the password itself : if your password is sunshine, even military grade encryption will be brute forced in an instant.

Real military grade safety is usually achievable by transferring parts of the encrypted file over different vectors.

it is virtually impossible to decrypt or brute force a decent algorythm if you only have access to even of odd bits
i forgot to mention that 10 passwords per second as mentioned above is a joke. my laptop probably can do 10 thousand per second without any specific optimisation. not speaking of tweaked arm chips, GPUs, a regular supercomputer, a botnet... brute forcing IS an actual issue nowadays. prefer passphrases over passwords with whatever useless complexity level.