How many characters to make Winzip AES 256 unbreakable?

Winzip offers 256 bit AES. So do other apps.

If I use a password made up of ordinary characters (A-Z, a-z, 0-9) with
no specials then how many characters do I need to use to make AES 256
uncrackable by a brute force attack?

The info out there talks mainly of key length but I am not familiar with
this field and I can sense they are not talking about the length of the
password I am using.

There is a little bit here but it seems out of date:

<http://www.dekart.com/howto/howto_disk_encryption/howto_recover_lost_pa
ssword/>

Richard
Sat May 13 13:50:55 CDT 2006

Almost any encryption is breakable if you throw enough horse power at the
problem.

--
Regards,

Richard Urban
Microsoft MVP Windows Shell/User

Quote from George Ankner:
If you knew as much as you think you know,
You would realize that you don't know what you thought you knew!

"Zak" <duff@nomail.invalid> wrote in message
news:Xns97C2C5EBF7A9764A18E@127.0.0.1...
> Winzip offers 256 bit AES. So do other apps.
>
> If I use a password made up of ordinary characters (A-Z, a-z, 0-9) with
> no specials then how many characters do I need to use to make AES 256
> uncrackable by a brute force attack?
>
> The info out there talks mainly of key length but I am not familiar with
> this field and I can sense they are not talking about the length of the
> password I am using.
>
> There is a little bit here but it seems out of date:
>
> <http://www.dekart.com/howto/howto_disk_encryption/howto_recover_lost_pa
> ssword/>
>

Imhotep
Sat May 13 15:11:25 CDT 2006

Zak wrote:

> Winzip offers 256 bit AES. So do other apps.
>
> If I use a password made up of ordinary characters (A-Z, a-z, 0-9) with
> no specials then how many characters do I need to use to make AES 256
> uncrackable by a brute force attack?
>
> The info out there talks mainly of key length but I am not familiar with
> this field and I can sense they are not talking about the length of the
> password I am using.
>
> There is a little bit here but it seems out of date:
>
> <http://www.dekart.com/howto/howto_disk_encryption/howto_recover_lost_pa
> ssword/>

...nothing is unbreakable. The trick is to make it so difficult that is not
worth the average hacker/crackers time...

So, knowing that, the bigger (generally speaking) the password the better.
However, you also want to make it is a non dictionary word with a wide
variety of charters (alpha numeric, uppercase/lowercase, etc). The more
random looking the password that better...

-- Imhotep

Sebastian
Sat May 13 15:13:27 CDT 2006

Richard Urban wrote:
> Almost any encryption is breakable if you throw enough horse power at the
> problem.

MVP, hein? Where did you buy that title?

Steven
Sat May 13 15:23:17 CDT 2006

AES encrypted files themselves are extremely secure if the decryption key is
not available but in your case your password is the key. I am not sure
exactly how Winzip hashes the password but take Windows XP as an example you
need to use a complex password/pass phrase of at least 15 characters to
consider the password uncrackable by today's standards. Also keep in mind
that keyboard loggers are a risk in capturing your password that is a lot
easier than cracking a password. Keyboard loggers can be software or
hardware. --- Steve


"Zak" <duff@nomail.invalid> wrote in message
news:Xns97C2C5EBF7A9764A18E@127.0.0.1...
> Winzip offers 256 bit AES. So do other apps.
>
> If I use a password made up of ordinary characters (A-Z, a-z, 0-9) with
> no specials then how many characters do I need to use to make AES 256
> uncrackable by a brute force attack?
>
> The info out there talks mainly of key length but I am not familiar with
> this field and I can sense they are not talking about the length of the
> password I am using.
>
> There is a little bit here but it seems out of date:
>
> <http://www.dekart.com/howto/howto_disk_encryption/howto_recover_lost_pa
> ssword/>
>

nemo_outis
Sat May 13 17:23:18 CDT 2006

Zak <duff@nomail.invalid> wrote in news:Xns97C2C5EBF7A9764A18E@127.0.0.1:

> Winzip offers 256 bit AES. So do other apps.
>
> If I use a password made up of ordinary characters (A-Z, a-z, 0-9) with
> no specials then how many characters do I need to use to make AES 256
> uncrackable by a brute force attack?
>
> The info out there talks mainly of key length but I am not familiar with
> this field and I can sense they are not talking about the length of the
> password I am using.
>
> There is a little bit here but it seems out of date:
>
> <http://www.dekart.com/howto/howto_disk_encryption/howto_recover_lost_pa
> ssword/>
>

In general you want to make the password/passphrase as strong as the
underlying algorithm (256 bits in this case). With a character set of 62
characters (a-z upper & lower case plus 0-9) you want 62^n >= 2^256, where
n (an integer) is the number of random characters in the password.

A little math results in n = 43.

Regards,

Frazer
Sat May 13 19:02:47 CDT 2006

"nemo_outis" <abc@xyz.com> wrote in
news:Xns97C2A6B65D746abcxyzcom@204.153.244.170:

> Zak <duff@nomail.invalid> wrote in
> news:Xns97C2C5EBF7A9764A18E@127.0.0.1:
>
>> Winzip offers 256 bit AES. So do other apps.
>>
>> If I use a password made up of ordinary characters (A-Z, a-z,
>> 0-9) with no specials then how many characters do I need to use
>> to make AES 256 uncrackable by a brute force attack?
>>
>> The info out there talks mainly of key length but I am not
>> familiar with this field and I can sense they are not talking
>> about the length of the password I am using.
>>
>> There is a little bit here but it seems out of date:
>>
>> <http://www.dekart.com/howto/howto_disk_encryption/howto_recover
>> _lost_pa ssword/>
>>
>
> In general you want to make the password/passphrase as strong as
> the underlying algorithm (256 bits in this case).

Please would you explain 'strong' in this context?


> With a
> character set of 62 characters (a-z upper & lower case plus 0-9)
> you want 62^n >= 2^256, where n (an integer) is the number of
> random characters in the password.

Why?


> A little math results in n = 43.

AIUI: given enough time a brute force attack will always succeed
eventually. What time frame is your estimation method based upon?

Other sources suggest very much lower numbers, including the OP
quoted source. Another example is
http://lastbit.com/rm_bruteforce.asp, which estimates that assuming
a brute force trisl speed is 500,000 passwords per second, a random
9-character key of both lowercase and uppercase letters (i.e. 52
possibilities) would on average take 178 years to crack. Why is
there such a large discrepancy vs. your estimate?

nemo_outis
Sat May 13 23:24:47 CDT 2006

Frazer Jolly Goodfellow <no-spam@hotmail.com> wrote in
news:Xns97C3A7C0B653frz@62.253.170.163:

> "nemo_outis" <abc@xyz.com> wrote in
> news:Xns97C2A6B65D746abcxyzcom@204.153.244.170:
>
>> Zak <duff@nomail.invalid> wrote in
>> news:Xns97C2C5EBF7A9764A18E@127.0.0.1:
>>
>>> Winzip offers 256 bit AES. So do other apps.
>>>
>>> If I use a password made up of ordinary characters (A-Z, a-z,
>>> 0-9) with no specials then how many characters do I need to use
>>> to make AES 256 uncrackable by a brute force attack?
>>>
>>> The info out there talks mainly of key length but I am not
>>> familiar with this field and I can sense they are not talking
>>> about the length of the password I am using.
>>>
>>> There is a little bit here but it seems out of date:
>>>
>>> <http://www.dekart.com/howto/howto_disk_encryption/howto_recover
>>> _lost_pa ssword/>
>>>
>>
>> In general you want to make the password/passphrase as strong as
>> the underlying algorithm (256 bits in this case).
>
> Please would you explain 'strong' in this context?


Strong for a password means resistant to being found. If a password is
truly random there is no more efficient way to find it than brute force
(i.e., exhaustive search). While one could be unbelievably lucky and get
it on the first guess, in general (i.e., the expectational value) one
would need 2^255 guesses. There is NO possibility of doing that with any
computer that now exists or that will exist for the foreseeable future.

To illustrate, Let's say, overly generously, that the fastest computer
today is capable of 1 petaflop (a quadrillion ops/second). Let's say it
could try one password guess per op. A trillion, trillion,trillion such
computers working for the 15 billion years the universs has been in
existence (since the big bang) would not have made a dent in the problem
(i.e., would only have looked at 1 one-billionth of 1 percent of the
possible passwords)! To me that seems strong enough!



>> With a
>> character set of 62 characters (a-z upper & lower case plus 0-9)
>> you want 62^n >= 2^256, where n (an integer) is the number of
>> random characters in the password.
>
> Why?


>> A little math results in n = 43.
>
> AIUI: given enough time a brute force attack will always succeed
> eventually. What time frame is your estimation method based upon?


No, brute force will NOT succeed! There isn't nearly enough time before
the heat death of the universe!

The fastest known computer would need a 100 billion, trillion, trillion,
trillion times the entire life of the universe!


> Other sources suggest very much lower numbers, including the OP
> quoted source. Another example is
> http://lastbit.com/rm_bruteforce.asp, which estimates that assuming
> a brute force trisl speed is 500,000 passwords per second, a random
> 9-character key of both lowercase and uppercase letters (i.e. 52
> possibilities) would on average take 178 years to crack. Why is
> there such a large discrepancy vs. your estimate?


The explanation in two words, m'boy: Logarithms and exponents.
It's time you refreshed your memory regarding them.

A 43-character password (drawn from 52 possible characters) is NOT 5
times as hard to guess as a 9-character one. No, it is approximately ten
billion, trillion, trillion, trillion, trillion times as hard!

Regards,

nemo_outis
Sat May 13 23:48:51 CDT 2006

>
> To illustrate, Let's say, overly generously, that the fastest computer
> today is capable of 1 petaflop (a quadrillion ops/second). Let's say
> it could try one password guess per op. A trillion, trillion,trillion
> such computers working for the 15 billion years the universs has been
> in existence (since the big bang) would not have made a dent in the
> problem (i.e., would only have looked at 1 one-billionth of 1 percent
> of the possible passwords)! To me that seems strong enough!

Whoops - make that 1 one-millionth of 1 percent. I should know better than
to trust my calculating after two glasses of Montrachet :-).

Regards,

Frazer
Sun May 14 08:56:18 CDT 2006

"nemo_outis" <abc@xyz.com> wrote in
news:Xns97C2E3FFB9A8Fabcxyzcom@204.153.244.170:

> Frazer Jolly Goodfellow <no-spam@hotmail.com> wrote in
> news:Xns97C3A7C0B653frz@62.253.170.163:
>
>> "nemo_outis" <abc@xyz.com> wrote in
>> news:Xns97C2A6B65D746abcxyzcom@204.153.244.170:
>>
>>> Zak <duff@nomail.invalid> wrote in
>>> news:Xns97C2C5EBF7A9764A18E@127.0.0.1:
>>>
>>>> Winzip offers 256 bit AES. So do other apps.
>>>>
>>>> If I use a password made up of ordinary characters (A-Z, a-z,
>>>> 0-9) with no specials then how many characters do I need to
>>>> use to make AES 256 uncrackable by a brute force attack?
>>>>
>>>> The info out there talks mainly of key length but I am not
>>>> familiar with this field and I can sense they are not talking
>>>> about the length of the password I am using.
>>>>
>>>> There is a little bit here but it seems out of date:
>>>>
>>>> <http://www.dekart.com/howto/howto_disk_encryption/howto_recov
>>>> er _lost_pa ssword/>
>>>>
>>>
>>> In general you want to make the password/passphrase as strong
>>> as the underlying algorithm (256 bits in this case).
>>
>> Please would you explain 'strong' in this context?
>
>
> Strong for a password means resistant to being found. If a
> password is truly random there is no more efficient way to find
> it than brute force (i.e., exhaustive search). While one could
> be unbelievably lucky and get it on the first guess, in general
> (i.e., the expectational value) one would need 2^255 guesses.
> There is NO possibility of doing that with any computer that now
> exists or that will exist for the foreseeable future.
>
> To illustrate, Let's say, overly generously, that the fastest
> computer today is capable of 1 petaflop (a quadrillion
> ops/second). Let's say it could try one password guess per op.
> A trillion, trillion,trillion such computers working for the 15
> billion years the universs has been in existence (since the big
> bang) would not have made a dent in the problem (i.e., would
> only have looked at 1 one-billionth of 1 percent of the possible
> passwords)! To me that seems strong enough!
>
Slight overkill IMO.

>
>>> With a
>>> character set of 62 characters (a-z upper & lower case plus
>>> 0-9) you want 62^n >= 2^256, where n (an integer) is the
>>> number of random characters in the password.
>>
>> Why?
>
>>> A little math results in n = 43.
>>
>> AIUI: given enough time a brute force attack will always
>> succeed eventually. What time frame is your estimation method
>> based upon?
>
> No, brute force will NOT succeed! There isn't nearly enough time
> before the heat death of the universe!
I *did* qualify my point- "given enough time... ...eventually". I'm
impressed with your confidence in our knowledge of the lifetime of
the universe - but I bet you are wrong.

>
> The fastest known computer would need a 100 billion, trillion,
> trillion, trillion times the entire life of the universe!
>
>
>> Other sources suggest very much lower numbers, including the OP
>> quoted source. Another example is
>> http://lastbit.com/rm_bruteforce.asp, which estimates that
>> assuming a brute force trisl speed is 500,000 passwords per
>> second, a random 9-character key of both lowercase and
>> uppercase letters (i.e. 52 possibilities) would on average take
>> 178 years to crack. Why is there such a large discrepancy vs.
>> your estimate?
>
>
> The explanation in two words, m'boy: Logarithms and exponents.
> It's time you refreshed your memory regarding them.
Patronising git.
>
> A 43-character password (drawn from 52 possible characters) is
> NOT 5 times as hard to guess as a 9-character one.
I did not say that it is - you misunderstood my point, see below.

> No, it is
> approximately ten billion, trillion, trillion, trillion,
> trillion times as hard!
...I'm well aware of that, also of overkill.
>

I was seeking information on what underlying assumptions you were
making, given you'd not mentioned *time* as a factor, and also
where you'd plucked 43 from. Other sources variously suggest that a
key length of 8-20 random characters [from 62 possibilities] is
sufficient for the key to be practically uncrackable for most
people's purposes - i.e. crack times of 10's of years with
practically available resources.

nemo_outis
Sun May 14 09:33:24 CDT 2006

Frazer Jolly Goodfellow <no-spam@hotmail.com> wrote in
news:Xns97C397E0D61C0frz@62.253.170.163:

>>> Please would you explain 'strong' in this context?
>>
>> Strong for a password means resistant to being found. If a
>> password is truly random there is no more efficient way to find
>> it than brute force (i.e., exhaustive search). While one could
>> be unbelievably lucky and get it on the first guess, in general
>> (i.e., the expectational value) one would need 2^255 guesses.
>> There is NO possibility of doing that with any computer that now
>> exists or that will exist for the foreseeable future.
>>
>> To illustrate, Let's say, overly generously, that the fastest
>> computer today is capable of 1 petaflop (a quadrillion
>> ops/second). Let's say it could try one password guess per op.
>> A trillion, trillion,trillion such computers working for the 15
>> billion years the universs has been in existence (since the big
>> bang) would not have made a dent in the problem (i.e., would
>> only have looked at 1 one-billionth of 1 percent of the possible
>> passwords)! To me that seems strong enough!

> Slight overkill IMO.


Then WTF do you want a 256-bit algorithm like AES?
However, if you do choose such an algorithm you should choose an
equivalently hard password.


>> The explanation in two words, m'boy: Logarithms and exponents.
>> It's time you refreshed your memory regarding them.

> Patronising git.


Moronic git.


>> A 43-character password (drawn from 52 possible characters) is
>> NOT 5 times as hard to guess as a 9-character one.
> I did not say that it is - you misunderstood my point, see below.
>
>> No, it is
>> approximately ten billion, trillion, trillion, trillion,
>> trillion times as hard!

...I'm well aware of that, also of overkill.


No, you weren't well aware of it; otherwise you would never have asked
your moronic questions. And no one but a moron who completely
misunderstood the problem (i.e., you!) would have said (as you did!) that
brute force could crack such a password.


> I was seeking information on what underlying assumptions you were
> making, given you'd not mentioned *time* as a factor, and also
> where you'd plucked 43 from. Other sources variously suggest that a
> key length of 8-20 random characters [from 62 possibilities] is
> sufficient for the key to be practically uncrackable for most
> people's purposes - i.e. crack times of 10's of years with
> practically available resources.


Where I "plucked" 43 from? You moron, I laid out the calculation in
black and white. However, I clearly didn't make sufficient allowance
for your stupidity in not being able to perform simple math. Should I
pre-chew your food for you, too?

So, once again: despite whatever you may have read, the best plan is to
make sure that the password is not weaker than the algorithm.

Regards,

Sebastian
Sun May 14 09:43:02 CDT 2006

nemo_outis wrote:

> Then WTF do you want a 256-bit algorithm like AES?

- reserves against future attacks
- security against quantum computitional attacks

> However, if you do choose such an algorithm you should choose an
> equivalently hard password.

Better: passphrase!

BTW, key strengthening exists and it's stupid that WinZip does not make
use of it. But their implementation is b0rken anyway.

> So, once again: despite whatever you may have read, the best plan is to
> make sure that the password is not weaker than the algorithm.

Only if your goal is to not let the passphrase being the weakest link. A
noble, but uncommon and impractical goal.

nemo_outis
Sun May 14 10:11:36 CDT 2006

Sebastian Gottschalk <seppi@seppig.de> wrote in news:4cou00F16qrdoU1
@news.dfncis.de:

> nemo_outis wrote:
>
>> Then WTF do you want a 256-bit algorithm like AES?
>
> - reserves against future attacks
> - security against quantum computitional attacks


The first point was discussed here recently (including input from me).
As for the second point: if quantum computing is feasible AES256 will
likely be insufficient for long-term use. To a first approximation
quantum computing will halve the "effective" length of symmetric
algorithms like AES (i.e. square-root time) with AES256 effectively
reduced to AES128 in strength. (Quantum computing wil be more ominous
for asymmetric ciphers, breaking (some of) them nearly instantaneously.)


>> However, if you do choose such an algorithm you should choose an
>> equivalently hard password.
>
> Better: passphrase!


The question was posed and the answer (and supporting math) was presented
in terms of strings of random characters: passwords.

However, I do agree that passphrases are preferable where human memory
comes into play. Constructing them raises other issues, issues which I
have discussed here before but not recently.


> BTW, key strengthening exists and it's stupid that WinZip does not make
> use of it. But their implementation is b0rken anyway.
>
>> So, once again: despite whatever you may have read, the best plan is
to
>> make sure that the password is not weaker than the algorithm.

> Only if your goal is to not let the passphrase being the weakest link.
A
> noble, but uncommon and impractical goal.


It seems more than a little imprudent to gratuitously weaken one's
security by picking a password weaker than the underlying algorithm,
especially if the reason is nothing more than illusory convenience.
(Memorizing, say, a 30-character random string seems to me every bit as
impractical and no more convenient for most humans as memorizing a 43-
character one.)

It does not require great nobility and it is entirely practical to
support passwords/passphrases with strength at least equivalent to the
underlying algorithm. Many current encryption packages provide exactly
this feature, and do so in large part for the reasons I have described..

Regards,

Sebastian
Sun May 14 10:28:15 CDT 2006

nemo_outis wrote:

> The question was posed and the answer (and supporting math) was presented
> in terms of strings of random characters: passwords.

Or you could simply use the key and express it with printable characters...

> It seems more than a little imprudent to gratuitously weaken one's
> security by picking a password weaker than the underlying algorithm,
> especially if the reason is nothing more than illusory convenience.

'weaken' is probably the wrong term, 'not achieving' proposes the
problem much better. The security is always min(user,system), so the
weakest one will always weaken the stronger one. You cannnot simply tell
that the system is already given and the user has to adapt to it, but
the user is given as well.

Aaron
Sun May 14 15:17:31 CDT 2006

> To illustrate, Let's say, overly generously, that the fastest computer
> today is capable of 1 petaflop (a quadrillion ops/second). Let's say it
> could try one password guess per op. A trillion, trillion,trillion such
> computers working for the 15 billion years the universs has been in
> existence (since the big bang) would not have made a dent in the problem
> (i.e., would only have looked at 1 one-billionth of 1 percent of the
> possible passwords)! To me that seems strong enough!
>
>With a character set of 62 characters (a-z upper & lower case plus 0-9)
>you want 62^n >= 2^256, where n (an integer) is the number of
>random characters in the password.

Using your numbers, 62 characters, 10^15 guesses per second "brute
force", and no timeouts for incorrect guesses. Adjust times by dividing
by the number of such computers guessing.

For one PetaFlop computer:

8 or less characters takes less than 1 second
9 characters takes 13.5 seconds
10 characters takes ~14 minutes
11; ~14.5 hours
12; ~3.7 days
13; ~6.4 years
14; 393 years
15; 24,365 years
16; 1,510,647 years
17; 93,660,129 years
18; 5.807E+9 years
Note: per wikipedia, age of Earth = 4.55E+9 years,
age of the universe is ~13.7E+9 years.
19; 3.600E+11 years
20; 2.232E+13 years
.
.
.
43; 3.747E+54 years (a trillion, trillion,trillion would
need 3.747E+18 years)

Statistically, in multiple attempts, it would be expected that the runs
would average 1/2 of a full run as given above (sometimes it would be
quick, sometimes loooong, and distributed as randomly as the randomness
of the password).

The key point being that each additional character means a brute force
attack requires 62 times longer than the previous. Key loggers and such
eliminate the guessing, obviously.

BTW, I like your 'put it in a secure envelope' method.

--
I'm glad my Mom named me Aaron,
That's what everybody calls me.

Alun
Thu May 18 20:40:36 CDT 2006

Richard Urban wrote:
> Almost any encryption is breakable if you throw enough horse power at
> the problem.

And if the hacker's really lucky and really random, there's always a chance
he'll hit it with his first guess :-)

Cryptography is a game of probability - the times given to crack a password
using brute-force are average times given random guessing against a randomly
chosen password. Passwords are not randomly chosen, the guesses are not
random, and sometimes a hacker just plain gets lucky.

There is no unbreakable cryptography.

Alun.
~~~~
[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software | Find us at http://www.wftpd.com or email
23921 57th Ave SE | alun@wftpd.com.
Washington WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.