Bitcoin Forum
December 09, 2016, 02:00:32 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 »  All
  Print  
Author Topic: Is a passworded WINRAR file an effective encryption method?  (Read 12029 times)
Fuzzy
Hero Member
*****
Offline Offline

Activity: 560



View Profile
June 29, 2011, 10:52:18 AM
 #1

This friend I know  Roll Eyes is using winrar to encrypt his wallets with fairly long passwords.
How secure is winrars password encryption, and what's the next most convenient and more reliable form of file encryption?
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
SomeoneWeird
Hero Member
*****
Offline Offline

Activity: 700


View Profile
June 29, 2011, 10:57:02 AM
 #2

WinRAR uses an ineffective encryption standard (afaik). Tell him to use truecrypt.
Sukrim
Legendary
*
Offline Offline

Activity: 1848


View Profile
June 29, 2011, 10:59:36 AM
 #3

WinRAR uses an ineffective encryption standard (afaik).

128bit AES... yeah, sure - very ineffective. NOT!

https://bitfinex.com <-- leveraged trading of BTCUSD, LTCUSD and LTCBTC (long and short) - 10% discount on fees for the first 30 days with this refcode: x5K9YtL3Zb
Mail me at Bitmessage: BM-BbiHiVv5qh858ULsyRDtpRrG9WjXN3xf
SomeoneWeird
Hero Member
*****
Offline Offline

Activity: 700


View Profile
June 29, 2011, 11:02:30 AM
 #4

WinRAR uses an ineffective encryption standard (afaik).

128bit AES... yeah, sure - very ineffective. NOT!

Ok goshh, they didn't use aes last time I used it.
XIU
Member
**
Offline Offline

Activity: 84


View Profile
June 29, 2011, 11:26:04 AM
 #5

WinRAR uses an ineffective encryption standard (afaik).

128bit AES... yeah, sure - very ineffective. NOT!

Ok goshh, they didn't use aes last time I used it.

It has changed since v3.0, so together with a strong password, it'll be secure enough for some time Smiley

1xiuHwHk81j4TRnLuLBMvH2ctqtTsubT6
BitcoinPorn
Hero Member
*****
Offline Offline

Activity: 560


Posts: 69


View Profile WWW
June 29, 2011, 11:31:28 AM
 #6

Go with TrueCrypt.

I know this shouldn't matter, but I think it would be weird to protect something so valuable with a program everyone has on their desktop.   I am not sure why I feel like it matters to me, but it does, I can't find the logic in it yet.

Fuzzy
Hero Member
*****
Offline Offline

Activity: 560



View Profile
June 29, 2011, 11:32:59 AM
 #7

Go with TrueCrypt.

I know this shouldn't matter, but I think it would be weird to protect something so valuable with a program everyone has on their desktop.   I am not sure why I feel like it matters to me, but it does, I can't find the logic in it yet.

Well, just in case my grandma wants to brute force it  Cheesy
XIU
Member
**
Offline Offline

Activity: 84


View Profile
June 29, 2011, 11:41:12 AM
 #8

Go with TrueCrypt.

I know this shouldn't matter, but I think it would be weird to protect something so valuable with a program everyone has on their desktop.   I am not sure why I feel like it matters to me, but it does, I can't find the logic in it yet.

Only annoying part is that you have to create a volume that is big enough, because re-sizing isn't really possible (I've saw somewhere about someone having a 150MB+ wallet.dat file)

1xiuHwHk81j4TRnLuLBMvH2ctqtTsubT6
SomeoneWeird
Hero Member
*****
Offline Offline

Activity: 700


View Profile
June 29, 2011, 11:44:58 AM
 #9

Go with TrueCrypt.

I know this shouldn't matter, but I think it would be weird to protect something so valuable with a program everyone has on their desktop.   I am not sure why I feel like it matters to me, but it does, I can't find the logic in it yet.

Only annoying part is that you have to create a volume that is big enough, because re-sizing isn't really possible (I've saw somewhere about someone having a 150MB+ wallet.dat file)

Just create a 1gb volume and have the entire bitcoin datadir in that.
JoelKatz
Legendary
*
Offline Offline

Activity: 1386


Democracy is vulnerable to a 51% attack.


View Profile WWW
June 29, 2011, 11:50:44 AM
 #10

This friend I know  Roll Eyes is using winrar to encrypt his wallets with fairly long passwords.
How secure is winrars password encryption, and what's the next most convenient and more reliable form of file encryption?
How long is fairly long? The weak link would be a brute-force attack, and the plausibility of that will directly depend on how many passwords someone would have to try to get to his.  There already exists hardware used by law enforcement to brute force WinRAR passwords.
http://www.forensic-computers.com/TACC1441.php

I am an employee of Ripple.
1Joe1Katzci1rFcsr9HH7SLuHVnDy2aihZ BM-NBM3FRExVJSJJamV9ccgyWvQfratUHgN
nosfera2
Jr. Member
*
Offline Offline

Activity: 42



View Profile
June 29, 2011, 11:56:40 AM
 #11

7-Zip has 256 bit AES. I'm using that with an 18 char password and storing my wallet completely and permanently offline, so I'm sleeping pretty well at night Wink

Now I just have to fill it with a few BTC haha!
JoelKatz
Legendary
*
Offline Offline

Activity: 1386


Democracy is vulnerable to a 51% attack.


View Profile WWW
June 29, 2011, 12:09:55 PM
 #12

7-Zip has 256 bit AES. I'm using that with an 18 char password and storing my wallet completely and permanently offline, so I'm sleeping pretty well at night Wink

Now I just have to fill it with a few BTC haha!
7-Zip uses iterated SHA-256 as its key derivation function. This is weak against hardware brute force attacks. If your password really is 18 randomish characters, you should be fine. If it's one English word with a few digits before or after it, you are theoretically vulnerable to that kind of attack.

On the bright side, you don't really have to worry about someone stealing your wallet today and then breaking it in ten years when the computing power is available to do so. Shortly before the time any encryption scheme you ever used to protect your wallet becomes vulnerable to an attack (due to increasing computing power, a newly-discovered flaw, or whatever), you can simply transfer all your BitCoins to a brand new wallet using an encryption scheme that is stronger.

I am an employee of Ripple.
1Joe1Katzci1rFcsr9HH7SLuHVnDy2aihZ BM-NBM3FRExVJSJJamV9ccgyWvQfratUHgN
da2ce7
Legendary
*
Offline Offline

Activity: 1218


Live and Let Live


View Profile
June 29, 2011, 12:21:04 PM
 #13

WINRAR is fine... providing you use a secure password...

The password search space for a Uppercas, Lowercase, Digit, and Symbols 12 digit password is 5.46 x 10^23

That would take over 100 years at one hundred trillion guesses per second.  (10x the power of the entire bitcoin network).

useful link: https://www.grc.com/%5Chaystack.htm

One off NP-Hard.
nosfera2
Jr. Member
*
Offline Offline

Activity: 42



View Profile
June 29, 2011, 12:27:46 PM
 #14

7-Zip uses iterated SHA-256 as its key derivation function. This is weak against hardware brute force attacks. If your password really is 18 randomish characters, you should be fine. If it's one English word with a few digits before or after it, you are theoretically vulnerable to that kind of attack.

Are you sure? The version I have (Ver 9.20) says AES-256. And yes, 18 random chars.
JoelKatz
Legendary
*
Offline Offline

Activity: 1386


Democracy is vulnerable to a 51% attack.


View Profile WWW
June 29, 2011, 12:28:45 PM
 #15

The password search space for a Uppercas, Lowercase, Digit, and Symbols 12 digit password is 5.46 x 10^23

That would take over 100 years at one hundred trillion guesses per second.  (10x the power of the entire bitcoin network).
Provided you understand the difference between '!HackZl0l' (awful), '1naHTG?pw77' (just good enough for now), and '34rW0,3iviQ!' (good enough for the next 30 years for sure).

I am an employee of Ripple.
1Joe1Katzci1rFcsr9HH7SLuHVnDy2aihZ BM-NBM3FRExVJSJJamV9ccgyWvQfratUHgN
JoelKatz
Legendary
*
Offline Offline

Activity: 1386


Democracy is vulnerable to a 51% attack.


View Profile WWW
June 29, 2011, 12:29:35 PM
 #16

]7-Zip uses iterated SHA-256 as its key derivation function. This is weak against hardware brute force attacks. If your password really is 18 randomish characters, you should be fine. If it's one English word with a few digits before or after it, you are theoretically vulnerable to that kind of attack.

Are you sure? The version I have (Ver 9.20) says AES-256. And yes, 18 random chars.
An attack would be on the weakest link which is the key derivation, not the encryption.

http://www.7-zip.org/7z.html says:
"This algorithm uses cipher key with length of 256 bits. To create that key 7-Zip uses derivation function based on SHA-256 hash algorithm. A key derivation function produces a derived key from text password defined by user. For increasing the cost of exhaustive search for passwords 7-Zip uses big number of iterations to produce cipher key from text password."

18 random characters is secure for the foreseeable future.

I am an employee of Ripple.
1Joe1Katzci1rFcsr9HH7SLuHVnDy2aihZ BM-NBM3FRExVJSJJamV9ccgyWvQfratUHgN
da2ce7
Legendary
*
Offline Offline

Activity: 1218


Live and Let Live


View Profile
June 29, 2011, 12:30:37 PM
 #17

It is weird as a 10 digit password [a-Z][0-9][!-~] has a search space of 6.05 x 10^19 and could be cracked in 10 weeks by the Bitcoin network...  Secure passwords are much more secure than you expect.

One off NP-Hard.
nosfera2
Jr. Member
*
Offline Offline

Activity: 42



View Profile
June 29, 2011, 12:36:23 PM
 #18

I see! Thanks for claring that up, JoelKatz.
nosfera2
Jr. Member
*
Offline Offline

Activity: 42



View Profile
June 29, 2011, 12:39:02 PM
 #19

I see! Thanks for clearing that up, JoelKatz.
da2ce7
Legendary
*
Offline Offline

Activity: 1218


Live and Let Live


View Profile
June 29, 2011, 12:43:17 PM
 #20

Make sure you pick at least one character in each group:

Lowercase: abcdefghijklmnopqrstuvwxyz
Uppercase: ABCDEFGHIJKLMNOPQRSTUVWXYZ
Number: 1234567890
Symbol: `~!@#$%^&*()-_=+\|[{]};:'",<.>/? (space)

09 char = insecure
10 char = low security
11 char = medium security
12 char = good security (good enough for your wallet)
13 char = v.good enough for anything.

One off NP-Hard.
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!