|
-
March 20th, 2005, 01:49 PM
#1
Junior Member
Passworded rar-files, are they secure?
Just curious if there are any easy ways around passworded rar files. Let's say I have a file with the password 'abc', that would probably be taken down pretty fast by any brute force cracker out there. But what if we have numbers and small-/upper-case letters, and a password which is 1024 characters long?
Password length = 1024
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 = 62 chars
1024^62 = 4,3511E+186 combinations
Brute force isn't really a choice here, as it would take years and years. Should I consider this secure? 'Secure' as in secure enough for personal use, like sending an application or two to someone without really risking that someone else would get them.
-
March 20th, 2005, 02:20 PM
#2
Hi swoosh,
Remember that there are three factors to encryption security:
1. Password length
2. Password complexity
3. Strength of encryption algorithm
Now, as far as I know the encryption algorithm for standard file compression software is not very strong.
I have certainly seen a tool that will crack Zip files, and there may well be the same for Rar ones.
I would feel happier using a strong encryption application THEN compressing it.
Also remember that given time, nothing is secure.
cheers
-
March 20th, 2005, 02:22 PM
#3
Of course, if you put something like m@n!M10 would be mroe difficult to brute forece than standard dictionary words.... This is obvious.
I think security is something a relative issue, you never know,, tomorrow might witness the born of new and fast password crackers... So to say, I think if your password is longe enought and has some multi cases like uper and lower pluse some non-standard characters.. this would hang, if not stop, the process of cracking it.....
That's all
S.P: I think zencoder have written a tutorial about Creating Safe Password, I could not find here... Here is a link for this tutorial at his official website.. Have a look... a very nice tutorial
http://www.zencoder.net/white-papers/
Cheers
\"The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts\".....Spaf
Everytime I learn a new thing, I discover how ignorant I am.- ... Black Cluster
-
March 20th, 2005, 04:07 PM
#4
Member
Swoosh -
Elcomsoft(http://www.elcomsoft.com/arpr.html ) has a tool for recovering lost RAR passwords. It supports a brute-force and a dictionary attack. Their product info says that RAR files are protected by 128 bit AES, so the only option is brute-foce or dictionary. I know zip files were vulnerable to a known-plaintext attack, but I'm not sure if RAR's are  But based on the information at Elcomsoft, a 1024 character password is good enought to protect a few .exe's
-
March 20th, 2005, 04:37 PM
#5
Junior Member
Originally posted here by nihil
Hi swoosh,
Remember that there are three factors to encryption security:
1. Password length
2. Password complexity
3. Strength of encryption algorithm
Now, as far as I know the encryption algorithm for standard file compression software is not very strong.
I have certainly seen a tool that will crack Zip files, and there may well be the same for Rar ones.
I would feel happier using a strong encryption application THEN compressing it.
Also remember that given time, nothing is secure.
cheers
Hi nihil. Neat post, I feel I got most of it covered with a pretty decent long random password, but I honestly haven't got a clue of how strong the encryption algorithm is. There are most definitly rar-crackers out there, but as said it takes ages to brute force something like that, atleast when a dictionary is out of the question. If I was talking seriously important files I'd also say go for a specialized encryption app instead of using something like rar. But as it's just a few small applications which aren't really that important to anyone, I think something like rar is an easy and fair enough way to go. One rar-cracker gave me an idea of how long time cracking it would take though. With a password with 100 chars/numbers it would take approx 115 years. Secure enough 
The pass would look something like this (only 'slightly' longer):
asd564AIHD4a189s4afTYASFDFsaf984ad4A98as4fADDA654dfOIH54564FAas46asf84gjf894jd46I54ytUGofhugFI489swt16g4sdj5OIDUs66d5d546g4fASF6hfr46sh
Originally posted here by Black Cluster Of course, if you put something like m@n!M10 would be mroe difficult to brute forece than standard dictionary words.... This is obvious.
I think security is something a relative issue, you never know,, tomorrow might witness the born of new and fast password crackers... So to say, I think if your password is longe enought and has some multi cases like uper and lower pluse some non-standard characters.. this would hang, if not stop, the process of cracking it.....
That's all
S.P: I think zencoder have written a tutorial about Creating Safe Password, I could not find here... Here is a link for this tutorial at his official website.. Have a look... a very nice tutorial
http://www.zencoder.net/white-papers/
Cheers
Thanks, nice tutorial.
Originally posted here by wyred
Swoosh -
Elcomsoft( http://www.elcomsoft.com/arpr.html ) has a tool for recovering lost RAR passwords. It supports a brute-force and a dictionary attack. Their product info says that RAR files are protected by 128 bit AES, so the only option is brute-foce or dictionary. I know zip files were vulnerable to a known-plaintext attack, but I'm not sure if RAR's are But based on the information at Elcomsoft, a 1024 character password is good enought to protect a few .exe's
Sounds fair enough. If what they say is correct then it should be out of the question to try to crack a file with such a long password.
Alright, case closed. Thanks for the input
-
March 20th, 2005, 05:14 PM
#6
Swoosh: "With a password with 100 chars/numbers it would take approx 115 years."
Although it could take approx 115 years, that figure is most likely based on one machine not a cluster working in harmony. So I wouldn't get to comfortable.
Nihil: "... given time, nothing is secure."
Swoosh, you're probably already thinking about it however it hasn't been mentioned yet; in order to make it as discouraging as possible for the deviant that's trying to crack your passwords, regardless of the complexity of the passward, change them frequently. Any progress they may have made is null and void at that point, he/she will have to start all over again. If the password is that hard to get around, where's he hiding the logs! That in itself may persuade them to look for an easier target.
$.02
cheers
Connection refused, try again later.
-
March 24th, 2005, 04:38 PM
#7
Junior Member
Good one. This wouldn't do as any high-classified protection or anything, but for my use it's enough (by far). I don't feel I need to worry about someone giving this too much work, and if anyone do then it's really a waste of time. Guess curiousity can make a man do exterme things though. Heh.
Thanks anyway, guess it's never too early to get that good password policy sitting tight.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
