# Can AES-256 be broken?



## truthseeker

I am using 7z to create archives and to encrypt them.

http://www.7-zip.org/

7z uses AES-256 password encryption.

But I have seen some 7z password recovery programs on the internet.

Does this mean someone can crack or break my 7z AES-256 encrypted files?

I am using a non-dictionary password that is 14 characters long.

How long would it take, using the latest PC's, a brute-force attack on my 7z AES-256 archives to find and crack the password?


----------



## koala

Have you seen the latest replies to this question in your other thread? *http://www.wilderssecurity.com/showthread.php?p=1261571*



Pleonasm_post#19 said:



> …taking maximum advantage of the full strength of AES encryption requires a password of approximately 32 characters for 128-bit encryption and *64 characters for 256-bit encryption*.





dantz_post#20 said:


> I hope you realize that every time you open one of your encrypted files it's written to a temp folder as plaintext. This is the major weakness of all zip encryption. So keep on wiping! Or choose a method of encryption that doesn't writes plaintext to disk.


----------



## truthseeker

koala said:


> Have you seen the latest replies to this question in your other thread? *http://www.wilderssecurity.com/showthread.php?p=1261571*


Is Wildersecurity run by the same people who run this website?

I asked there as well as it seems to have more traffic there.


----------



## koala

No, we're not affiliated with Wildersecurity at all, but I think some of our Security team post over there. It just takes a quick google to find cross-posts. :smile:

It looks like you'll need to increase the length of your password to get better encryption. Also, if the data is really private and you've opened the file, remember to wipe the drive's free space after deleting it with something like Sure Delete.


----------



## sobeit

truthseeker said:


> I am using 7z to create archives and to encrypt them.
> 
> http://www.7-zip.org/
> 
> 7z uses AES-256 password encryption.
> 
> But I have seen some 7z password recovery programs on the internet.
> 
> Does this mean someone can crack or break my 7z AES-256 encrypted files?
> 
> I am using a non-dictionary password that is 14 characters long.
> 
> How long would it take, using the latest PC's, a brute-force attack on my 7z AES-256 archives to find and crack the password?


anything can be cracked. as they say about locks, they are made for innocent not the guilty. As far as how long it would take, depends upon the person and their tools.


----------



## koala

truthseeker said:


> I am using a non-dictionary password that is 14 characters long.
> 
> How long would it take, using the latest PC's, a brute-force attack on my 7z AES-256 archives to find and crack the password?


There are too many variables to give an accurate answer - length of password, characters used, speed of CPU, program/method used for cracking, etc. I think if anyone wanted access to the encrypted data, they would probably get a quicker result by using data recovery software to go through your 'deleted' files rather than try to crack the zip password.


----------



## truthseeker

koala said:


> No, we're not affiliated with Wildersecurity at all, but I think some of our Security team post over there. It just takes a quick google to find cross-posts. :smile:
> 
> It looks like you'll need to increase the length of your password to get better encryption. Also, if the data is really private and you've opened the file, remember to wipe the drive's free space after deleting it with something like Sure Delete.


Yep, good comment. I have increased by password from 14 to 26, and believe it or not, I remember it in my head 

And yes another good point, I use Eraser to do a wipe of the original file itself and the free space.

Thank you for your help. I am happy and content now to keep using the 7z AES-256 encryption and confident it will protect me from the average person if they ever gain access to my laptop.

P.S So using google I guess you find a lot of cross-posts, you sneaky bugger  hehe.


----------



## truthseeker

sobeit said:


> anything can be cracked. as they say about locks, they are made for innocent not the guilty. As far as how long it would take, depends upon the person and their tools.


Yep. And the time it would take an average person who may gain access to my laptop to break my 7z programs AES-256 encryption, by then I would probably have changed my bank details and pins  So then their cracked 7z file would be useless anyway


----------



## MarAttacker2000

truthseeker said:


> I am using 7z to create archives and to encrypt them.
> 
> http://www.7-zip.org/
> 
> 7z uses AES-256 password encryption.
> 
> But I have seen some 7z password recovery programs on the internet.
> 
> Does this mean someone can crack or break my 7z AES-256 encrypted files?
> 
> I am using a non-dictionary password that is 14 characters long.
> 
> How long would it take, using the latest PC's, a brute-force attack on my 7z AES-256 archives to find and crack the password?


People are dancing around the easy answers:

1. Yes you can crack a 14 character pw. Did you find the name of one of the programs targeted at 7zip yet? There are a bunch. I'm getting 12.8million guesses/sec on my spare box right now. Usually on this sort of game i have one machine that knocks out dictionaries and small pw/low number of character classes. Then I have a stack of g5s that sit there and crank through in paralel for harder longer pws. When I guess them, I send my users email and tell them their pw and request they reset.

2. Govt cracking - Ever heard of a DSP? there are 2 main concepts. Dedicated chips and hashes. Chips that have a sole job of decrypting, or in the smart case of encrypting. All smart agencies have loads of hardware generating hash tables. There are many creative ways even with salts to get around this stuff. Anyhow brute force is dum. A simple database lookup and then a trial of those hashes is fast and easy. Your 14 char pw was pwned before you even wrote it.


----------



## johnwill

And why would you bother?


----------



## truthseeker

MarAttacker2000 said:


> People are dancing around the easy answers:
> 
> 1. Yes you can crack a 14 character pw. Did you find the name of one of the programs targeted at 7zip yet? There are a bunch. I'm getting 12.8million guesses/sec on my spare box right now. Usually on this sort of game i have one machine that knocks out dictionaries and small pw/low number of character classes. Then I have a stack of g5s that sit there and crank through in paralel for harder longer pws. When I guess them, I send my users email and tell them their pw and request they reset.
> 
> 2. Govt cracking - Ever heard of a DSP? there are 2 main concepts. Dedicated chips and hashes. Chips that have a sole job of decrypting, or in the smart case of encrypting. All smart agencies have loads of hardware generating hash tables. There are many creative ways even with salts to get around this stuff. Anyhow brute force is dum. A simple database lookup and then a trial of those hashes is fast and easy. Your 14 char pw was pwned before you even wrote it.


You are full of words, no action. PROVE IT that you can crack an encrypted file.

I have uploaded an encrypted Winrar file and inside it there is a text file with a word written. Tell me the word written inside the file and prove you can crack it.

Grab the file from here:

http://rapidshare.com/files/138330671/encrypted.rar

NO TALK, ONLY ACTION! Crack that file, tell me the "secret word" inside the encrypted file.


----------



## johnwill

That guy is all hat, no cattle.


----------



## truthseeker

johnwill said:


> That guy is all hat, no cattle.


Well I am still waiting for MarAttacker2000 to show me some action. No more talk, just action.

I even sent MarAttacker2000 an private message giving him the challenge to break that encrypted file and tell me the word inside the text file. After all, he claimed he can break an encrypted file, and gave me the impression he is very good at it and has the "right tools".

Yet I am still waiting. And I guess I will be waiting for another 3 millions years before he can break it :grin: LOL


----------



## McNinja

no body cares, hoho look at me talk I have no action only talk, MAD yet hehe

use truecrypt if your worried about encryption
it uses 3 256 bit encryption programs and you can use a "File" key and a password
http://www.truecrypt.org/downloads.php

stop being so paranoid
If they stole your laptop all they would have to do is cool your ram down and transfer it to a seperate laptop..... so HA!
http://forum.japantoday.com/viewtopic.php?f=11&t=981559


----------



## peterhuang913

Dude, you're just paranoid. The truth is: any kind of encryption system can be cracked.

If I got my hands on your laptop, I'd just format it and use it as it is.



truthseeker said:


> Yep. And the time it would take an average person who may gain access to my laptop to break my 7z programs AES-256 encryption, by then I would probably have changed my bank details and pins  So then their cracked 7z file would be useless anyway


Number 1 problem with you: you keep your bank info on your computer.


----------



## truthseeker

Mcninjaguy said:


> no body cares, hoho look at me talk I have no action only talk, MAD yet hehe
> 
> use truecrypt if your worried about encryption
> it uses 3 256 bit encryption programs and you can use a "File" key and a password
> http://www.truecrypt.org/downloads.php
> 
> stop being so paranoid
> If they stole your laptop all they would have to do is cool your ram down and transfer it to a seperate laptop..... so HA!
> http://forum.japantoday.com/viewtopic.php?f=11&t=981559


Are you claiming that if I encrypt a file using Winrar or Truecrypt, all a person need do is "cool my ram down and transfer it to a seperate laptop" and then wham, all encryption from the file is now gone and the files wide open? haha


----------



## truthseeker

peterhuang913 said:


> Dude, you're just paranoid. The truth is: any kind of encryption system can be cracked....


Full of words, all talk, no action.

Download the Winrar encrypted file I uploaded (see link above) and prove to me that you can crack the file  PROVE IT!


----------



## truthseeker

peterhuang913 said:


> ...
> 
> If I got my hands on your laptop, I'd just format it and use it as it is.
> 
> 
> 
> Number 1 problem with you: you keep your bank info on your computer.


1. So you admit you couldnt access my current data? You could only format my HDD and lose all my encrypted data? 

2. I have my banking details stored on a truecrypt partition and also stored in Keepass database. 2 layers of solid encryption. And I never type the information using keyboard.

So you claim you can get my bank details? LOL.


----------



## peterhuang913

Dude, you need a chill-pill. There can be no action because it takes too long to crack such a silly thing. You're just SUPER PARANOID and you need to see a doctor about this condition of yours.


----------



## johnwill

OK, I think we've enjoyed this topic enough, I'm going to close this one. Please keep the discussions on a technical level and don't resort to personal attacks.


----------

