Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

Password protection does not work

2012-07-29
2012-12-07
  • drDubbelklick
    drDubbelklick
    2012-07-29

    If I right-click a folder and select 7-zip/Add to archive…, the main dialogue appears, allowing you to set a password with a choice of AES256 and some proprietary algoritm.

    The problem is that the password does not work!

    I can even use the Windows File Explorer to expand the archive without any warnings or error messages appearing.

     
  • Shell
    Shell
    2012-07-29

    I tried to create a password-protected ZIP archive and it worked. Please tell what you are doing and what options you are selecting step-by-step. Also, please check whether Explorer expands the archive correctly - maybe it does not recognize the password protection and extracts garbage instead of files.

     
  • drDubbelklick
    drDubbelklick
    2012-07-29

    I tested further on and found out that all individual files were encrypted by the password, but the entire directory structure, including the file names are still visible from the Windows Explorer.
    I think that it is a security breach to be able to browse the archive to see the file names, even if individual files cannot be opened.
    WinZip, on the other hand, first prompts you for the password, then opens the archive, so that none of its contents is visible until you provide the correct password.
    I believe this to be a slight bug in 7-zip.
    I use 7-zip almost everyday, and have found to be the best compression utility, so otherwise I'm very satisfied with it.

     
  • Shell
    Shell
    2012-07-29

    I think this is is a flaw not in 7-Zip, but in the ZIP format itself. Try creating a password-protected archive in WinZIP and then open it with Explorer, 7-Zip, WinRAR or something else. Would the directory structure be visible in that case?

    By the way, when you create a 7z archive, a checkbox "Encrypt file names" appears under the password box. If it is not present for a ZIP archive, then it is probably impossible to protect file names in it.

     
  • drDubbelklick
    drDubbelklick
    2012-07-29

    Unfortunately, I do not have WinZip to compare to, but I have received encrypted WinZip files before. Windows then said that the file was encrypted and prompted me for a password.
    Can we test this by having someone who has access to "the real WinZip" to compress a random directory with files in it, and set the encryption key to the digit one (1), then sending it to me at drdubbelklick ( a t ) gmail (d o t) com?

    Besides, encrypting the archive with the 7zip format demands the recipient to also have 7zip, which is not the case with ordinary zip files, which Windows handle natively.

     
  • Shell
    Shell
    2012-07-29

    From WinZIP's help:

    Encryption applies only to the contents of files stored within a Zip file. Information about an encrypted file, such as its name, date, size, attributes, CRC, and compression ratio, is stored in unencrypted form in the Zip file's directory and can be viewed, without a password, by anyone who has access to the Zip file.

    I tried WinZIP 16.5 Pro, it really does not encrypt file names. So if you want to secure file names, I suggest you to create an archive without encryption, and then encrypt this single archive into another archive (without compression now).

     
  • drDubbelklick
    drDubbelklick
    2012-07-29

    Thank you u_shell. That was a very good idea. I tried to send a software package to a colleague of mine, who is also a software developer, and the mail was rejected, since gmail inspects the archive, and files with a certain extension (vb in my case) are not allowed to be sent.
    I'll go for that idea,

    Thanks!

     
  • fernando
    fernando
    2012-07-29

    Gmail will REJECT a ZIP archive stored within a ZIP archive
    Gmail will currently ACCEPT any 7-Zip archive.

     
  • drDubbelklick
    drDubbelklick
    2012-07-29

    So, I have to rename the inner zip archive to something else, like donald_duck.txt?

     
  • drDubbelklick
    drDubbelklick
    2012-07-29

    According to gmail,

    "ade", "adp", "bat", "chm", "cmd", "com", "cpl", "exe",
    "hta", "ins", "isp", "jse", "lib", "mde", "msc", "msp",
    "mst", "pif", "scr", "sct", "shb", "sys", "vb", "vbe",
    "vbs", "vxd", "wsc", "wsf", "wsh"

    Gmail won't accept these types of files even if they are sent in a zipped (.zip, .tar, .tgz, .taz, .z, .gz, .rar) format.

    In my case, it was an encrypted zip file inside a regular zip file, and according to the above information, the mail should not have bounced, which I just saw it did.

     
  • fernando
    fernando
    2012-07-29

    Who knew an encrypted zip file is not considered of zip format?

    I suspect your developer partner is capable of dropping the 7za executable in PATH and performing
    7za x archive.7z -pPresharedPassword

     
  • drDubbelklick
    drDubbelklick
    2012-07-29

    Yes, he is. I am thinking more of a general scenario, where the recipient is not as skilled with computers as he and I, and does not have 7-zip installed.

    I gave it another try, and renamed an unencrypted zip to donald_duck.txt and sent it to him 22:40 (GMT+1), and it has not bounced yet. My previous attempts bounced within minutes.

    Let's see how intelligent gmail really is about detecting what is really being attached…

     

  • Anonymous
    2012-10-19

    @drdubbleklick: You say you're investigating the scenario where the recipient does not have 7-zip installed. Are you able to create a password protected zip file using 7-zip which you can extract using the built-in Windows zip file support? I at least cannot get this to work - Windows won't extract the exncrpted file(s) from the archive and won't prompt for the password either. I can only extract the file from the zip using 7-zip.

    Did you find a solution to this problem?