I'm reviewing an encrypted compression solution for the company I work at and would like somebodhy privey to the 7Zip code to give their estimations it would take to brute force a password encrypted .7z archive.
From my own calculations (using a password cracker) a 1-12char passworded .ZIP file can be brute forced in only 5-6 days on today's PCs. And if you use WinZip 8.0 or previous (they fixed it in 8.1) your password can be cracked in under 7mins.
I'm challenging the authors or anybody that understands the .7z code to give us some estimations on .7z cracking.
I feel these are reasonable parameters:
1. We have a 4ghz CPU (with hyperthreading and dual core) giving us almost 20% more power
2. We are using a totally random password (no dictionary) composed of any US English keyboard character.
3. The password is approx 12 chars and our cracker needs to start at 5 chars and work it's way up
I would also like to know how many passwords per second we can compare, my AMD XP 1.7ghz can compare almost 2million .ZIP passwords per second. Obviously this depends on the algorythm but remember this post is a request for estimates.
If anybody wants to contact me directly... towens01<AT>UnityHealth<DOT>org
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
.zip encryption in 7-zip is not too secure.
.7z encryption in 7-zip is secure (It uses AES-256 and SHA-256).
From 7-Zip help about .7z encryption:
We will estimate time of exhaustive password search attack, when password is random sequence of small Latin letters.
We suppose that one user can check 10 passwords per second and organization (with budget about $1 billion) can check 10 billions passwords per second. We also suppose that each 2 years processor doubles it's performance, so each additional Latin letter of long password adds about 9 years against exhaustive key search attack.
So we have such estimated time for attack:
Password Length / Single User Attack / Organization Attack
1 2 s 1 s
2 1 min 1 s
3 30 min 1 s
4 12 hours 1 s
5 14 days 1 s
6 1 year 1 s
7 10 years 1 s
8 19 years 20 s
9 26 years 9 min
10 37 years 4 hours
11 46 years 4 days
12 55 years 4 months
13 64 years 4 years
14 73 years 13 years
15 82 years 22 years
16 91 years 31 years
17 100 years 40 years
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thanks for the info, I am aware that the .ZIP file format uses a very weak password encryption, in fact I've just finished my results on testing, these figures assume the newest/fastest Intel cpu (almost 4ghz dual core /w hyperthreading).
The time to crack a classic .ZIP file...
A. If you use a password found in a dictionary, even with numbers at the beginning and/or end:
Less than 24hrs despite length of password
B. If you just use numbers and only upper or only lower case:
2005 Summer
5 chars long: 2 secs
6 chars long: 2 mins
7 chars long: 1 hrs
8 chars long: 1 days
9 chars long: 50 days
10 chars long: 6 yr
C. If you use numbers, upper and lower case:
2005 Summer
5 chars long: 30 secs
6 chars long: 30 mins
7 chars long: 6 hrs
8 chars long: 3 yrs
9 chars long: 25 yrs
10 chars long: 1,350 yrs
D. If you use numbers, upper and lower case and use a keyboard character (the symbols above the number keys and such)
2005 Summer
5 chars: 1 mins
6 chars: 1 hour
7 chars: 3 days
8 chars: 1 yrs
9 chars: 50 yrs
10 chars: 3,400yrs
E. If you use numbers, lower & upper case, keyboard characters and insert ASCII codes by holding down ALT and typing in numbers
2005 Summer
5 chars: 5 mins
6 chars: 17 hrs
7 chars: 35 days
8 chars: 10 yrs
9 chars: 1,000 yrs
10 chars: 100,000 yrs
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
By the way, those calculations for .7z passwords after 7 characters look funny, either those calculations are VERY incorrect or the encryption .7z is using has tons of duplicate hashes after the 7 char mark.
Obviously the longer the password, the dynamically longer it takes to crack it.
Can anybody comment on those bizarre figures for .7z?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The calculations for .7z passwords after 7 characters are linear because processor speed grows exponentially. It is assumed that every two years you can buy a computer that is two times faster than the computer you bought 2 years ago.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Here are some real world numbers using Advanced Zip Password Recovery on my machine, an AMD 3000+. My machine can check 11,000,000 passwords per second.
Assuming the character set (a-z A-Z 09) which is 62 characters
05 = 1.39 Minutes
06 = 1.43 Hours
07 = 3.71 Days
08 = 229.73 Days
09 = 39.02 Years
10 = 2419.46 Years
The math is as follows:
Total_passwords_to_check = (characters_in_char_set) POWER (password_length)
Time = Total_passwords_to_check / (passwords per second)
"The calculations for .7z passwords after 7 characters are linear because processor speed grows exponentially. It is assumed that every two years you can buy a computer that is two times faster than the computer you bought 2 years ago."
Nice to know.
CPU speed DID GROW exponentially in recent 40 years.
But are you SURE that it wil also do in next 40 years ???
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I'm not sure about 40 years, but in the next 10 years we will likely still keep on watching exponential grows in terms performance/socket. If the algorithm is parallel you can enjoy the exponential growth. Just look at Intel and AMD public roadmaps. I have also insider info that Intel has started design of an Itanium core that will be produced in 8, 16 and 32 cores per socket. I'm pretty sure we will see it within 10 years.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
As far as I know, no brute force tool has .7z support. Of course the fact that it doesn't will only encourage hackers to add support for it, especially as .7z support grows.
I just noticed at least one 3rd party app supports .7z now, ZipGenius. I wonder how long until a major app like WinZip adds support.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
"I just noticed at least one 3rd party app supports .7z now, ZipGenius. I wonder how long until a major app like WinZip adds support."
Does winzip support rar?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I'm reviewing an encrypted compression solution for the company I work at and would like somebodhy privey to the 7Zip code to give their estimations it would take to brute force a password encrypted .7z archive.
From my own calculations (using a password cracker) a 1-12char passworded .ZIP file can be brute forced in only 5-6 days on today's PCs. And if you use WinZip 8.0 or previous (they fixed it in 8.1) your password can be cracked in under 7mins.
I'm challenging the authors or anybody that understands the .7z code to give us some estimations on .7z cracking.
I feel these are reasonable parameters:
1. We have a 4ghz CPU (with hyperthreading and dual core) giving us almost 20% more power
2. We are using a totally random password (no dictionary) composed of any US English keyboard character.
3. The password is approx 12 chars and our cracker needs to start at 5 chars and work it's way up
I would also like to know how many passwords per second we can compare, my AMD XP 1.7ghz can compare almost 2million .ZIP passwords per second. Obviously this depends on the algorythm but remember this post is a request for estimates.
If anybody wants to contact me directly... towens01<AT>UnityHealth<DOT>org
.zip encryption in 7-zip is not too secure.
.7z encryption in 7-zip is secure (It uses AES-256 and SHA-256).
From 7-Zip help about .7z encryption:
We will estimate time of exhaustive password search attack, when password is random sequence of small Latin letters.
We suppose that one user can check 10 passwords per second and organization (with budget about $1 billion) can check 10 billions passwords per second. We also suppose that each 2 years processor doubles it's performance, so each additional Latin letter of long password adds about 9 years against exhaustive key search attack.
So we have such estimated time for attack:
Password Length / Single User Attack / Organization Attack
1 2 s 1 s
2 1 min 1 s
3 30 min 1 s
4 12 hours 1 s
5 14 days 1 s
6 1 year 1 s
7 10 years 1 s
8 19 years 20 s
9 26 years 9 min
10 37 years 4 hours
11 46 years 4 days
12 55 years 4 months
13 64 years 4 years
14 73 years 13 years
15 82 years 22 years
16 91 years 31 years
17 100 years 40 years
Thanks for the info, I am aware that the .ZIP file format uses a very weak password encryption, in fact I've just finished my results on testing, these figures assume the newest/fastest Intel cpu (almost 4ghz dual core /w hyperthreading).
The time to crack a classic .ZIP file...
A. If you use a password found in a dictionary, even with numbers at the beginning and/or end:
Less than 24hrs despite length of password
B. If you just use numbers and only upper or only lower case:
2005 Summer
5 chars long: 2 secs
6 chars long: 2 mins
7 chars long: 1 hrs
8 chars long: 1 days
9 chars long: 50 days
10 chars long: 6 yr
C. If you use numbers, upper and lower case:
2005 Summer
5 chars long: 30 secs
6 chars long: 30 mins
7 chars long: 6 hrs
8 chars long: 3 yrs
9 chars long: 25 yrs
10 chars long: 1,350 yrs
D. If you use numbers, upper and lower case and use a keyboard character (the symbols above the number keys and such)
2005 Summer
5 chars: 1 mins
6 chars: 1 hour
7 chars: 3 days
8 chars: 1 yrs
9 chars: 50 yrs
10 chars: 3,400yrs
E. If you use numbers, lower & upper case, keyboard characters and insert ASCII codes by holding down ALT and typing in numbers
2005 Summer
5 chars: 5 mins
6 chars: 17 hrs
7 chars: 35 days
8 chars: 10 yrs
9 chars: 1,000 yrs
10 chars: 100,000 yrs
By the way, those calculations for .7z passwords after 7 characters look funny, either those calculations are VERY incorrect or the encryption .7z is using has tons of duplicate hashes after the 7 char mark.
Obviously the longer the password, the dynamically longer it takes to crack it.
Can anybody comment on those bizarre figures for .7z?
The calculations for .7z passwords after 7 characters are linear because processor speed grows exponentially. It is assumed that every two years you can buy a computer that is two times faster than the computer you bought 2 years ago.
Here are some real world numbers using Advanced Zip Password Recovery on my machine, an AMD 3000+. My machine can check 11,000,000 passwords per second.
Assuming the character set (a-z A-Z 09) which is 62 characters
05 = 1.39 Minutes
06 = 1.43 Hours
07 = 3.71 Days
08 = 229.73 Days
09 = 39.02 Years
10 = 2419.46 Years
The math is as follows:
Total_passwords_to_check = (characters_in_char_set) POWER (password_length)
Time = Total_passwords_to_check / (passwords per second)
Char set (a-z A-Z 09) = 62 characters_in_char_set
password_length = 5
Total_passwords_to_check = 62 ^ 5 = 916,132,832
Time = 916,132,832 / (11,000,000 p/s) = 83.28 seconds
password_length = 6
Total_passwords_to_check = 62 ^ 6 = 56,800,235,584
Time = 56,800,235,584 / (11,000,000 p/s) = 5,163.66 seconds = 1.43 Hours
"The calculations for .7z passwords after 7 characters are linear because processor speed grows exponentially. It is assumed that every two years you can buy a computer that is two times faster than the computer you bought 2 years ago."
Nice to know.
CPU speed DID GROW exponentially in recent 40 years.
But are you SURE that it wil also do in next 40 years ???
I'm not sure about 40 years, but in the next 10 years we will likely still keep on watching exponential grows in terms performance/socket. If the algorithm is parallel you can enjoy the exponential growth. Just look at Intel and AMD public roadmaps. I have also insider info that Intel has started design of an Itanium core that will be produced in 8, 16 and 32 cores per socket. I'm pretty sure we will see it within 10 years.
where do i find a brute forcer for retreaving a 7z password? I have a password protected 7z and forgot the pasword :(
As far as I know, no brute force tool has .7z support. Of course the fact that it doesn't will only encourage hackers to add support for it, especially as .7z support grows.
I just noticed at least one 3rd party app supports .7z now, ZipGenius. I wonder how long until a major app like WinZip adds support.
"and forgot the pasword :("
Is it poor ???
Up to cca 6 chars all UPPER or all lower CaSe ?
"I just noticed at least one 3rd party app supports .7z now, ZipGenius. I wonder how long until a major app like WinZip adds support."
Does winzip support rar?
Last I saw, WinZip doesn't support RAR nor ACE.
I'm dead sold on 7Zip because of it's simplicity and it's wide file support.