Passworded rar-files, are they secure?
Results 1 to 7 of 7

Thread: Passworded rar-files, are they secure?

  1. #1
    Junior Member
    Join Date
    Oct 2002
    Posts
    27

    Passworded rar-files, are they secure?

    Just curious if there are any easy ways around passworded rar files. Let's say I have a file with the password 'abc', that would probably be taken down pretty fast by any brute force cracker out there. But what if we have numbers and small-/upper-case letters, and a password which is 1024 characters long?

    Password length = 1024
    abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 = 62 chars
    1024^62 = 4,3511E+186 combinations

    Brute force isn't really a choice here, as it would take years and years. Should I consider this secure? 'Secure' as in secure enough for personal use, like sending an application or two to someone without really risking that someone else would get them.

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Hi swoosh,

    Remember that there are three factors to encryption security:

    1. Password length
    2. Password complexity
    3. Strength of encryption algorithm

    Now, as far as I know the encryption algorithm for standard file compression software is not very strong.

    I have certainly seen a tool that will crack Zip files, and there may well be the same for Rar ones.

    I would feel happier using a strong encryption application THEN compressing it.

    Also remember that given time, nothing is secure.

    cheers

  3. #3
    In And Above Man Black Cluster's Avatar
    Join Date
    Feb 2005
    Posts
    912
    Of course, if you put something like m@n!M10 would be mroe difficult to brute forece than standard dictionary words.... This is obvious.

    I think security is something a relative issue, you never know,, tomorrow might witness the born of new and fast password crackers... So to say, I think if your password is longe enought and has some multi cases like uper and lower pluse some non-standard characters.. this would hang, if not stop, the process of cracking it.....


    That's all

    S.P: I think zencoder have written a tutorial about Creating Safe Password, I could not find here... Here is a link for this tutorial at his official website.. Have a look... a very nice tutorial

    http://www.zencoder.net/white-papers/

    Cheers
    \"The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts\".....Spaf
    Everytime I learn a new thing, I discover how ignorant I am.- ... Black Cluster

  4. #4
    Swoosh -

    Elcomsoft(http://www.elcomsoft.com/arpr.html ) has a tool for recovering lost RAR passwords. It supports a brute-force and a dictionary attack. Their product info says that RAR files are protected by 128 bit AES, so the only option is brute-foce or dictionary. I know zip files were vulnerable to a known-plaintext attack, but I'm not sure if RAR's are But based on the information at Elcomsoft, a 1024 character password is good enought to protect a few .exe's

  5. #5
    Junior Member
    Join Date
    Oct 2002
    Posts
    27
    Originally posted here by nihil
    Hi swoosh,

    Remember that there are three factors to encryption security:

    1. Password length
    2. Password complexity
    3. Strength of encryption algorithm

    Now, as far as I know the encryption algorithm for standard file compression software is not very strong.

    I have certainly seen a tool that will crack Zip files, and there may well be the same for Rar ones.

    I would feel happier using a strong encryption application THEN compressing it.

    Also remember that given time, nothing is secure.

    cheers
    Hi nihil. Neat post, I feel I got most of it covered with a pretty decent long random password, but I honestly haven't got a clue of how strong the encryption algorithm is. There are most definitly rar-crackers out there, but as said it takes ages to brute force something like that, atleast when a dictionary is out of the question. If I was talking seriously important files I'd also say go for a specialized encryption app instead of using something like rar. But as it's just a few small applications which aren't really that important to anyone, I think something like rar is an easy and fair enough way to go. One rar-cracker gave me an idea of how long time cracking it would take though. With a password with 100 chars/numbers it would take approx 115 years. Secure enough

    The pass would look something like this (only 'slightly' longer):
    asd564AIHD4a189s4afTYASFDFsaf984ad4A98as4fADDA654dfOIH54564FAas46asf84gjf894jd46I54ytUGofhugFI489swt16g4sdj5OIDUs66d5d546g4fASF6hfr46sh


    Originally posted here by Black Cluster Of course, if you put something like m@n!M10 would be mroe difficult to brute forece than standard dictionary words.... This is obvious.

    I think security is something a relative issue, you never know,, tomorrow might witness the born of new and fast password crackers... So to say, I think if your password is longe enought and has some multi cases like uper and lower pluse some non-standard characters.. this would hang, if not stop, the process of cracking it.....


    That's all

    S.P: I think zencoder have written a tutorial about Creating Safe Password, I could not find here... Here is a link for this tutorial at his official website.. Have a look... a very nice tutorial

    http://www.zencoder.net/white-papers/

    Cheers
    Thanks, nice tutorial.


    Originally posted here by wyred
    Swoosh -

    Elcomsoft(http://www.elcomsoft.com/arpr.html ) has a tool for recovering lost RAR passwords. It supports a brute-force and a dictionary attack. Their product info says that RAR files are protected by 128 bit AES, so the only option is brute-foce or dictionary. I know zip files were vulnerable to a known-plaintext attack, but I'm not sure if RAR's are But based on the information at Elcomsoft, a 1024 character password is good enought to protect a few .exe's
    Sounds fair enough. If what they say is correct then it should be out of the question to try to crack a file with such a long password.

    Alright, case closed. Thanks for the input

  6. #6
    Senior Member
    Join Date
    Dec 2003
    Location
    Pacific Northwest
    Posts
    1,675
    Swoosh: "With a password with 100 chars/numbers it would take approx 115 years."
    Although it could take approx 115 years, that figure is most likely based on one machine not a cluster working in harmony. So I wouldn't get to comfortable.
    Nihil: "... given time, nothing is secure."
    Swoosh, you're probably already thinking about it however it hasn't been mentioned yet; in order to make it as discouraging as possible for the deviant that's trying to crack your passwords, regardless of the complexity of the passward, change them frequently. Any progress they may have made is null and void at that point, he/she will have to start all over again. If the password is that hard to get around, where's he hiding the logs! That in itself may persuade them to look for an easier target.

    $.02

    cheers
    Connection refused, try again later.

  7. #7
    Junior Member
    Join Date
    Oct 2002
    Posts
    27
    Good one. This wouldn't do as any high-classified protection or anything, but for my use it's enough (by far). I don't feel I need to worry about someone giving this too much work, and if anyone do then it's really a waste of time. Guess curiousity can make a man do exterme things though. Heh.

    Thanks anyway, guess it's never too early to get that good password policy sitting tight.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •