Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > How many characters to make Winzip AES 256 unbreakable?

Reply
Thread Tools

How many characters to make Winzip AES 256 unbreakable?

 
 
Zak
Guest
Posts: n/a
 
      05-13-2006
Winzip offers 256 bit AES. So do other apps.

If I use a password made up of ordinary characters (A-Z, a-z, 0-9) with
no specials then how many characters do I need to use to make AES 256
uncrackable by a brute force attack?

The info out there talks mainly of key length but I am not familiar with
this field and I can sense they are not talking about the length of the
password I am using.

There is a little bit here but it seems out of date:

<http://www.dekart.com/howto/howto_di...ecover_lost_pa
ssword/>

 
Reply With Quote
 
 
 
 
Richard Urban
Guest
Posts: n/a
 
      05-13-2006
Almost any encryption is breakable if you throw enough horse power at the
problem.

--
Regards,

Richard Urban
Microsoft MVP Windows Shell/User

Quote from George Ankner:
If you knew as much as you think you know,
You would realize that you don't know what you thought you knew!

"Zak" <(E-Mail Removed)> wrote in message
news:Xns97C2C5EBF7A9764A18E@127.0.0.1...
> Winzip offers 256 bit AES. So do other apps.
>
> If I use a password made up of ordinary characters (A-Z, a-z, 0-9) with
> no specials then how many characters do I need to use to make AES 256
> uncrackable by a brute force attack?
>
> The info out there talks mainly of key length but I am not familiar with
> this field and I can sense they are not talking about the length of the
> password I am using.
>
> There is a little bit here but it seems out of date:
>
> <http://www.dekart.com/howto/howto_di...ecover_lost_pa
> ssword/>
>



 
Reply With Quote
 
 
 
 
Imhotep
Guest
Posts: n/a
 
      05-13-2006
Zak wrote:

> Winzip offers 256 bit AES. So do other apps.
>
> If I use a password made up of ordinary characters (A-Z, a-z, 0-9) with
> no specials then how many characters do I need to use to make AES 256
> uncrackable by a brute force attack?
>
> The info out there talks mainly of key length but I am not familiar with
> this field and I can sense they are not talking about the length of the
> password I am using.
>
> There is a little bit here but it seems out of date:
>
> <http://www.dekart.com/howto/howto_di...ecover_lost_pa
> ssword/>


....nothing is unbreakable. The trick is to make it so difficult that is not
worth the average hacker/crackers time...

So, knowing that, the bigger (generally speaking) the password the better.
However, you also want to make it is a non dictionary word with a wide
variety of charters (alpha numeric, uppercase/lowercase, etc). The more
random looking the password that better...

-- Imhotep
 
Reply With Quote
 
Sebastian Gottschalk
Guest
Posts: n/a
 
      05-13-2006
Richard Urban wrote:
> Almost any encryption is breakable if you throw enough horse power at the
> problem.


MVP, hein? Where did you buy that title?
 
Reply With Quote
 
Steven L Umbach
Guest
Posts: n/a
 
      05-13-2006
AES encrypted files themselves are extremely secure if the decryption key is
not available but in your case your password is the key. I am not sure
exactly how Winzip hashes the password but take Windows XP as an example you
need to use a complex password/pass phrase of at least 15 characters to
consider the password uncrackable by today's standards. Also keep in mind
that keyboard loggers are a risk in capturing your password that is a lot
easier than cracking a password. Keyboard loggers can be software or
hardware. --- Steve


"Zak" <(E-Mail Removed)> wrote in message
news:Xns97C2C5EBF7A9764A18E@127.0.0.1...
> Winzip offers 256 bit AES. So do other apps.
>
> If I use a password made up of ordinary characters (A-Z, a-z, 0-9) with
> no specials then how many characters do I need to use to make AES 256
> uncrackable by a brute force attack?
>
> The info out there talks mainly of key length but I am not familiar with
> this field and I can sense they are not talking about the length of the
> password I am using.
>
> There is a little bit here but it seems out of date:
>
> <http://www.dekart.com/howto/howto_di...ecover_lost_pa
> ssword/>
>



 
Reply With Quote
 
nemo_outis
Guest
Posts: n/a
 
      05-13-2006
Zak <(E-Mail Removed)> wrote in news:Xns97C2C5EBF7A9764A18E@127.0.0.1:

> Winzip offers 256 bit AES. So do other apps.
>
> If I use a password made up of ordinary characters (A-Z, a-z, 0-9) with
> no specials then how many characters do I need to use to make AES 256
> uncrackable by a brute force attack?
>
> The info out there talks mainly of key length but I am not familiar with
> this field and I can sense they are not talking about the length of the
> password I am using.
>
> There is a little bit here but it seems out of date:
>
> <http://www.dekart.com/howto/howto_di...ecover_lost_pa
> ssword/>
>


In general you want to make the password/passphrase as strong as the
underlying algorithm (256 bits in this case). With a character set of 62
characters (a-z upper & lower case plus 0-9) you want 62^n >= 2^256, where
n (an integer) is the number of random characters in the password.

A little math results in n = 43.

Regards,




 
Reply With Quote
 
Frazer Jolly Goodfellow
Guest
Posts: n/a
 
      05-14-2006
"nemo_outis" <(E-Mail Removed)> wrote in
news:Xns97C2A6B65D746abcxyzcom@204.153.244.170:

> Zak <(E-Mail Removed)> wrote in
> news:Xns97C2C5EBF7A9764A18E@127.0.0.1:
>
>> Winzip offers 256 bit AES. So do other apps.
>>
>> If I use a password made up of ordinary characters (A-Z, a-z,
>> 0-9) with no specials then how many characters do I need to use
>> to make AES 256 uncrackable by a brute force attack?
>>
>> The info out there talks mainly of key length but I am not
>> familiar with this field and I can sense they are not talking
>> about the length of the password I am using.
>>
>> There is a little bit here but it seems out of date:
>>
>> <http://www.dekart.com/howto/howto_di.../howto_recover
>> _lost_pa ssword/>
>>

>
> In general you want to make the password/passphrase as strong as
> the underlying algorithm (256 bits in this case).


Please would you explain 'strong' in this context?


> With a
> character set of 62 characters (a-z upper & lower case plus 0-9)
> you want 62^n >= 2^256, where n (an integer) is the number of
> random characters in the password.


Why?


> A little math results in n = 43.


AIUI: given enough time a brute force attack will always succeed
eventually. What time frame is your estimation method based upon?

Other sources suggest very much lower numbers, including the OP
quoted source. Another example is
http://lastbit.com/rm_bruteforce.asp, which estimates that assuming
a brute force trisl speed is 500,000 passwords per second, a random
9-character key of both lowercase and uppercase letters (i.e. 52
possibilities) would on average take 178 years to crack. Why is
there such a large discrepancy vs. your estimate?



 
Reply With Quote
 
Arthur T.
Guest
Posts: n/a
 
      05-14-2006
In Message-ID:<Xns97C2C5EBF7A9764A18E@127.0.0.1>,
Zak <(E-Mail Removed)> wrote:

>If I use a password made up of ordinary characters (A-Z, a-z, 0-9) with
>no specials then how many characters do I need to use to make AES 256
>uncrackable by a brute force attack?


Well, to make your password not the weak point, you need 43
totally random characters.

Here's how that's figured:

AES256 uses a 256-bit key. There are, therefore, 2**256 possible
keys.

26+26+10=62

62**43 is approximately 2**256

--
Arthur T. - ar23hur "at" intergate "dot" com
Looking for a good MVS systems programmer position
 
Reply With Quote
 
nemo_outis
Guest
Posts: n/a
 
      05-14-2006
Frazer Jolly Goodfellow <(E-Mail Removed)> wrote in
news:Xns97C3A7C0B653frz@62.253.170.163:

> "nemo_outis" <(E-Mail Removed)> wrote in
> news:Xns97C2A6B65D746abcxyzcom@204.153.244.170:
>
>> Zak <(E-Mail Removed)> wrote in
>> news:Xns97C2C5EBF7A9764A18E@127.0.0.1:
>>
>>> Winzip offers 256 bit AES. So do other apps.
>>>
>>> If I use a password made up of ordinary characters (A-Z, a-z,
>>> 0-9) with no specials then how many characters do I need to use
>>> to make AES 256 uncrackable by a brute force attack?
>>>
>>> The info out there talks mainly of key length but I am not
>>> familiar with this field and I can sense they are not talking
>>> about the length of the password I am using.
>>>
>>> There is a little bit here but it seems out of date:
>>>
>>> <http://www.dekart.com/howto/howto_di.../howto_recover
>>> _lost_pa ssword/>
>>>

>>
>> In general you want to make the password/passphrase as strong as
>> the underlying algorithm (256 bits in this case).

>
> Please would you explain 'strong' in this context?



Strong for a password means resistant to being found. If a password is
truly random there is no more efficient way to find it than brute force
(i.e., exhaustive search). While one could be unbelievably lucky and get
it on the first guess, in general (i.e., the expectational value) one
would need 2^255 guesses. There is NO possibility of doing that with any
computer that now exists or that will exist for the foreseeable future.

To illustrate, Let's say, overly generously, that the fastest computer
today is capable of 1 petaflop (a quadrillion ops/second). Let's say it
could try one password guess per op. A trillion, trillion,trillion such
computers working for the 15 billion years the universs has been in
existence (since the big bang) would not have made a dent in the problem
(i.e., would only have looked at 1 one-billionth of 1 percent of the
possible passwords)! To me that seems strong enough!



>> With a
>> character set of 62 characters (a-z upper & lower case plus 0-9)
>> you want 62^n >= 2^256, where n (an integer) is the number of
>> random characters in the password.

>
> Why?



>> A little math results in n = 43.

>
> AIUI: given enough time a brute force attack will always succeed
> eventually. What time frame is your estimation method based upon?



No, brute force will NOT succeed! There isn't nearly enough time before
the heat death of the universe!

The fastest known computer would need a 100 billion, trillion, trillion,
trillion times the entire life of the universe!


> Other sources suggest very much lower numbers, including the OP
> quoted source. Another example is
> http://lastbit.com/rm_bruteforce.asp, which estimates that assuming
> a brute force trisl speed is 500,000 passwords per second, a random
> 9-character key of both lowercase and uppercase letters (i.e. 52
> possibilities) would on average take 178 years to crack. Why is
> there such a large discrepancy vs. your estimate?



The explanation in two words, m'boy: Logarithms and exponents.
It's time you refreshed your memory regarding them.

A 43-character password (drawn from 52 possible characters) is NOT 5
times as hard to guess as a 9-character one. No, it is approximately ten
billion, trillion, trillion, trillion, trillion times as hard!

Regards,

 
Reply With Quote
 
nemo_outis
Guest
Posts: n/a
 
      05-14-2006
>
> To illustrate, Let's say, overly generously, that the fastest computer
> today is capable of 1 petaflop (a quadrillion ops/second). Let's say
> it could try one password guess per op. A trillion, trillion,trillion
> such computers working for the 15 billion years the universs has been
> in existence (since the big bang) would not have made a dent in the
> problem (i.e., would only have looked at 1 one-billionth of 1 percent
> of the possible passwords)! To me that seems strong enough!


Whoops - make that 1 one-millionth of 1 percent. I should know better than
to trust my calculating after two glasses of Montrachet .

Regards,


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: How include a large array? Edward A. Falk C Programming 1 04-04-2013 08:07 PM
Winzip's 256bit-AES encryption & self-extracting files Bakko Computer Security 14 01-13-2008 07:25 PM
How many bits generated for each UTF8 char with 256 bit AES? Phil C. ASP .Net Security 0 04-27-2006 02:47 AM
How Many VarBinary for each Ascii Char Aes Encrypted KeySize=256,BlockSize=256 Phil C. ASP .Net Security 3 02-25-2005 04:28 PM
FYI: AES-256 vs. 3DES performance on PIX 515/520 John Caruso Cisco 1 04-29-2004 06:54 AM



Advertisments