Jump to content
Tuts 4 You
Sign in to follow this  
LCF-AT

Is using WinRar enough to encrypt files?

Recommended Posts

LCF-AT

Hi guys,

I have a small question again.I was playing around and found some older compressed rar archive I made years ago and which I did protected with a password I dont remember anymore.For some archives I can see the files inside and in some others not (used encrypt filename option in Winrar).Now I thought about it how save it is to use Winrar alone to use it as compression / encryption etc.How save it is?Is there any method to find out passwords for archives or is it really save = no chance to get the password out = I can throw away the old archives?

What about some bruteforce methods trying to use tons of combination?So I remember I was mostly using any short passwords like 3-6 letters or signs.Is it in this case more simple to find out the password?Yes of course I know all talking about it to use any long passwords with special signs inside etc but its also harder to remember it later again.

Just would like to know whether its enough to use Winrar itself to encrypt (compress) some files instead using any another extra encrypt app etc.I think they do same just without to compress right?So if you say Winrar is enough to use for myself (dont need any extra app) so what would you then suggest about using passwords?Something like 123 not of course but 321 or any else simple passwords?Lets say I wanna use maxmimal 3 diffrent passwords which should be save but also simple to remember and of course in my case I mean very simple to remember you know.Do you have some hints for this maybe?

greetz

Share this post


Link to post
whoknows
https://stackoverflow.com/questions/3817941/rar-passwords-why-dont-rainbow-tables-work

 

  • Like 2

Share this post


Link to post
Kurapica

I think it's more than enough until quantum computing becomes mainstream, most of us will be dust when that happens :D

  • Like 1

Share this post


Link to post
Progman
Posted (edited)

Yes it is based on AES-128 and AES-256 so its very secure.  Quantum computing may just be a pipe dream - it is still far from guaranteed.  Perhaps if cryptanalytic weaknesses are found in AES, it could also change things though its been studied by many mathematicians for many years without much progress.

 

Short passwords especially will become vulnerable however.  Remember there are now processor intrinsic for AES (https://en.wikipedia.org/wiki/AES_instruction_set), and if a special GPU-like hardware were fabricated, its possible you could do reasonably serious attacks on AES.  Modern nVidia GTX now allow for integer operations in the streaming units so extremely high throughput is already possible there.  Furthermore, government agencies may have massive amounts of hardware to do just that.  But most people cannot foot the bill for the special hardware let alone the power consumption requirements needed to run it.  Certainly I would not believe the absurdly outdated time required information on WinRAR's website (https://www.win-rar.com/enc_faq.html?&L=0#c7723).  100 times faster or 1000 times faster by now without much doubt depending on environment and method.

Edited by Progman (see edit history)
  • Like 1

Share this post


Link to post
LCF-AT

Hi guys,

thanks for your answers so far.Ok so you mean WinRar is ok enough so far = I can also forget to find any way to find out some passwords for some of my old rar pass protected rar archives. :) So in this case I can really throw them away now.

greetz

Share this post


Link to post
kao
Posted (edited)
On 8/12/2019 at 9:13 PM, LCF-AT said:

I was mostly using any short passwords like 3-6 letters or signs.Is it in this case more simple to find out the password?

If that's the case, that's breakable. For RAR the most efficient attacks are bruteforce, and it's much much faster to bruteforce 6-symbol password than 12... :)

You can try freeware cRARk (http://www.crark.net) or pirated Passware Kit to crack your passwords. Depending on your CPU/GPU, it might take few hours/days but that's certainly doable.

 

EDIT: just to give you an example, my (quite outdated) PC can try 4500 passwords/second using cRARk.
For the example, there are 26 capital letters, 26 lowercase letters and 10 numbers. So, 62 different characters.
If it's a 4-symbol password, it's 62*62*62*62=14776336 possibilities. To try them all, it would take 3283 seconds, or 54 minutes.
If it's a 6-symbol password, it's 62*62*62*62*62*62=56800235584 possibilites. That would be 144 days to try them all.

If you know you used a word from dictionary, it's much easier to try all words from dictionary. If you used l33t sp34k, that's also a good information. If you know that you always put first capital letter, that's useful. And so on. Read the manual, make the most efficient rules for bruteforce and just try.. :)

 

Edited by kao (see edit history)
  • Like 4

Share this post


Link to post
Hookahice

Using cRARk with my GeForce RTX 2080 Ti, you can get around:

dM4BRDn.png

So if your password is pretty short, bruteforcing is an option for you...

-HooK

  • Like 2

Share this post


Link to post
Kurapica

Nice GPU you got there, does it run "mines sweeper" at 60 FPS ? :D

  • Haha 2

Share this post


Link to post
LCF-AT

Hi guys,

oh la la!Thanks for that new infos.I tried for fun this tool you talked about kao and made first some test rar files with short 3 letter / digits passwords and the tool found it out very quickly!Wow!I didnt expected this.So I see using short passwords isnt a very good choice to protect files if they should be keep protected if its needed for any reason.

Question: So what kind of password would be a really good one using the lowest lenght?So you said a lenght of minmum 6 would take 144 +/- days right.What passwords are you using kao? 😀  So I think I need to find any good mixed password with symbols / signs but also one which I do remember later again or maybe just a long set or quote.

I think nobody can remember passwords like $&9(S$%EKNm which looks strong.Or maybe using some letters which are not used in other most languages would be also good like ßÄüÖ.Hhhmm.

One more question about this tool and the password.def file where I need to enter for what it should check for.I think its only helpfully if I know what letter / signs I did use in my own passwords right.

Example: If I know my password used only digits then I should only set $1 into like this...

# Password definition
[$1] *

...or this...

# Password definition
[$1 $a $A $!] *

..for digits,lower,upper case letters & extraterrestrial signs / symbols. :) Password like 1_Az for example.Lets say I dont know anything about the used password so then I should use just a ? like this...

# Password definition
[?] *

....and in commandline using -l1 -g127 for min & max lenght to check for also if it could take 100 years (+/- few seconds). :)

What is if I use a 100 byte lenght password?Just entering 0123456789 copy this and just paste another 9 times + any symbol after like this ' or just entering the second keyboard line from left to right ^1234567890ß´.Anyway,just thinking around you know.

greetz

Share this post


Link to post
Rever7eR

hello , you can use " crunch " to generate a custom wordlist then change " rar " files extention to " zip " and finally you can use " fcrackzip " , all what i've mentioned is available on " kali linux OS " 

Greetz 

  • Like 1

Share this post


Link to post
Progman

At a long enough password length, even with enormous computing power, one is more likely to find a collision than the original password.  After more than 2^128 combinations are tried for the example AES-128 HMAC used.   However since the character set is limited, its not exactly clear which passwords might have shorter length collisions and using which other character set.  As well depending on the decryption algorithm, the collision password may not correctly decrypt.  Keep in mind that the verification algorithm and decryption algorithm are 2 different things.  The verification part is merely to save the trouble of decrypting garbage data and a mere convenience.  Old WinRAR versions would just extract without checking validity.  In these cases an automated attack would require knowing something about the decrypted data that could be verified for correctness.

Unless pre-image attacks against AES become available or quantum computers then simply an 8 character password dictionary resistant with a good enough character set is enough for most usages.  If you are worried about the NSA, then probably you would want to use something completely different given they are famous for backdooring algorithms and AES was standardized in part by them.

  • Like 1

Share this post


Link to post
ritalin_

Well, from the basics I know (regarding ssl).... AES is the only useful... the best...end end with aes would be cool ::P

Share this post


Link to post
ritalin_

Well, from the basics I know (regarding ssl).... AES is the only useful... the best...end end with aes would be cool ::P

 

 

....and.,... please try not to use winrar, it is closed-source software.... if you like cracking then obviously use open-source systems and share open systems/codes/... etc

Read up on the GNU operating system

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×
×
  • Create New...