Is a passworded WINRAR file an effective encryption method?

[Fuzzy]

This friend I know  is using winrar to encrypt his wallets with fairly long passwords.
How secure is winrars password encryption, and what's the next most convenient and more reliable form of file encryption?

[SomeoneWeird]

WinRAR uses an ineffective encryption standard (afaik). Tell him to use truecrypt.

[Sukrim]

WinRAR uses an ineffective encryption standard (afaik).

128bit AES... yeah, sure - very ineffective. NOT!

[SomeoneWeird]

WinRAR uses an ineffective encryption standard (afaik).

128bit AES... yeah, sure - very ineffective. NOT!

Ok goshh, they didn't use aes last time I used it.

[XIU]

WinRAR uses an ineffective encryption standard (afaik).

128bit AES... yeah, sure - very ineffective. NOT!

Ok goshh, they didn't use aes last time I used it.

It has changed since v3.0, so together with a strong password, it'll be secure enough for some time

[BitcoinPorn]

Go with TrueCrypt.

I know this shouldn't matter, but I think it would be weird to protect something so valuable with a program everyone has on their desktop.   I am not sure why I feel like it matters to me, but it does, I can't find the logic in it yet.

[Fuzzy]

Go with TrueCrypt.

I know this shouldn't matter, but I think it would be weird to protect something so valuable with a program everyone has on their desktop.   I am not sure why I feel like it matters to me, but it does, I can't find the logic in it yet.

Well, just in case my grandma wants to brute force it 

[XIU]

Go with TrueCrypt.

I know this shouldn't matter, but I think it would be weird to protect something so valuable with a program everyone has on their desktop.   I am not sure why I feel like it matters to me, but it does, I can't find the logic in it yet.

Only annoying part is that you have to create a volume that is big enough, because re-sizing isn't really possible (I've saw somewhere about someone having a 150MB+ wallet.dat file)

[SomeoneWeird]

Go with TrueCrypt.

I know this shouldn't matter, but I think it would be weird to protect something so valuable with a program everyone has on their desktop.   I am not sure why I feel like it matters to me, but it does, I can't find the logic in it yet.

Only annoying part is that you have to create a volume that is big enough, because re-sizing isn't really possible (I've saw somewhere about someone having a 150MB+ wallet.dat file)

Just create a 1gb volume and have the entire bitcoin datadir in that.

[JoelKatz]

This friend I know  is using winrar to encrypt his wallets with fairly long passwords.
How secure is winrars password encryption, and what's the next most convenient and more reliable form of file encryption?

How long is fairly long? The weak link would be a brute-force attack, and the plausibility of that will directly depend on how many passwords someone would have to try to get to his.  There already exists hardware used by law enforcement to brute force WinRAR passwords.
http://www.forensic-computers.com/TACC1441.php

[nosfera2]

7-Zip has 256 bit AES. I'm using that with an 18 char password and storing my wallet completely and permanently offline, so I'm sleeping pretty well at night

Now I just have to fill it with a few BTC haha!

[JoelKatz]

7-Zip has 256 bit AES. I'm using that with an 18 char password and storing my wallet completely and permanently offline, so I'm sleeping pretty well at night

Now I just have to fill it with a few BTC haha!

7-Zip uses iterated SHA-256 as its key derivation function. This is weak against hardware brute force attacks. If your password really is 18 randomish characters, you should be fine. If it's one English word with a few digits before or after it, you are theoretically vulnerable to that kind of attack.

On the bright side, you don't really have to worry about someone stealing your wallet today and then breaking it in ten years when the computing power is available to do so. Shortly before the time any encryption scheme you ever used to protect your wallet becomes vulnerable to an attack (due to increasing computing power, a newly-discovered flaw, or whatever), you can simply transfer all your BitCoins to a brand new wallet using an encryption scheme that is stronger.

[da2ce7]

WINRAR is fine... providing you use a secure password...

The password search space for a Uppercas, Lowercase, Digit, and Symbols 12 digit password is 5.46 x 10^23

That would take over 100 years at one hundred trillion guesses per second.  (10x the power of the entire bitcoin network).

useful link: https://www.grc.com/%5Chaystack.htm

[nosfera2]

7-Zip uses iterated SHA-256 as its key derivation function. This is weak against hardware brute force attacks. If your password really is 18 randomish characters, you should be fine. If it's one English word with a few digits before or after it, you are theoretically vulnerable to that kind of attack.

Are you sure? The version I have (Ver 9.20) says AES-256. And yes, 18 random chars.

[JoelKatz]

The password search space for a Uppercas, Lowercase, Digit, and Symbols 12 digit password is 5.46 x 10^23

That would take over 100 years at one hundred trillion guesses per second.  (10x the power of the entire bitcoin network).

Provided you understand the difference between '!HackZl0l' (awful), '1naHTG?pw77' (just good enough for now), and '34rW0,3iviQ!' (good enough for the next 30 years for sure).

[JoelKatz]

]7-Zip uses iterated SHA-256 as its key derivation function. This is weak against hardware brute force attacks. If your password really is 18 randomish characters, you should be fine. If it's one English word with a few digits before or after it, you are theoretically vulnerable to that kind of attack.

Are you sure? The version I have (Ver 9.20) says AES-256. And yes, 18 random chars.

An attack would be on the weakest link which is the key derivation, not the encryption.

http://www.7-zip.org/7z.html says:
"This algorithm uses cipher key with length of 256 bits. To create that key 7-Zip uses derivation function based on SHA-256 hash algorithm. A key derivation function produces a derived key from text password defined by user. For increasing the cost of exhaustive search for passwords 7-Zip uses big number of iterations to produce cipher key from text password."

18 random characters is secure for the foreseeable future.

[da2ce7]

It is weird as a 10 digit password [a-Z][0-9][!-~] has a search space of 6.05 x 10^19 and could be cracked in 10 weeks by the Bitcoin network...  Secure passwords are much more secure than you expect.

[nosfera2]

I see! Thanks for claring that up, JoelKatz.

[nosfera2]

I see! Thanks for clearing that up, JoelKatz.

[da2ce7]

Make sure you pick at least one character in each group:

Lowercase: abcdefghijklmnopqrstuvwxyz
Uppercase: ABCDEFGHIJKLMNOPQRSTUVWXYZ
Number: 1234567890
Symbol: `~!@#$%^&*()-_=+\|[{]};:'",<.>/? (space)

09 char = insecure
10 char = low security
11 char = medium security
12 char = good security (good enough for your wallet)
13 char = v.good enough for anything.