# Is Winrar Password Secure?



## truthseeker (Jan 26, 2008)

I just got Winrar 3.71 and want to use it to password certain folders when I compress them into an archive.

However, I have read some things on the internet where people claim they can use a program to open any Winrar passworded file.

Is that true? Or is my Winrar password files secure? I use a 12 character non-dictionary password.

Thanks


----------



## koala (Mar 27, 2005)

You can test how secure your password-protected files are by using one of the programs available online. Just be very careful where you download them from, as some are infected.

You'll probably find that most passwords can be cracked by using the right software, including Microsoft documents, WinZip, WinRar, etc. Longer passwords using non-dictionary sequences of characters will take longer to crack, but they're certainly not 100% secure.

A better way to protect your files is to use encryption.


----------



## Chief17 (Jul 20, 2008)

I suppose it depends on what you are doing with the file/what it conatins, if its just something you want to keep private from you family or something like that, it should be ok, but if its something more important you may want to use encryption like koala said.


----------



## truthseeker (Jan 26, 2008)

koala said:


> You can test how secure your password-protected files are by using one of the programs available online. Just be very careful where you download them from, as some are infected.
> 
> You'll probably find that most passwords can be cracked by using the right software, including Microsoft documents, WinZip, WinRar, etc. Longer passwords using non-dictionary sequences of characters will take longer to crack, but they're certainly not 100% secure.
> 
> A better way to protect your files is to use encryption.



I now create Winrar archives with a 17 character long password that is not a dictionary word and contains letters, numbers and spaces.

Are you saying that someone can crack that file in the next few years using brute force?

Because these winrar password recovery programs use brute-force and dictionary-based attacks. With 17 character password and 128 bit AES key encryption in Winrar, it will take years to break. Maybe longer than the Earth will exist.

This is what Winrar website says:

The encryption algorithm was changed to AES (Advanced Encryption Standard)
with a 128 bit key length starting with WinRAR 3.0.

The US Government created an encryption standard several
years ago, called the Data Encryption Standard (DES).
It has been widely used both in government circles and by banks.
The government has recently replaced DES with the
Advanced Encryption Standard (AES).
One cryptologist has said that assuming that you could recover a
DES key in a second (trying 2^55 keys per second),
it would take the same machine approximately 149 trillion
years to recover a 128-bit AES key.


----------



## sobeit (Nov 11, 2007)

just about anything can be cracked - it depends how much that information inside it is really wanted. 

Always assume the government has a back door to any encryption if you have anything illegal on your computer. I would not be surpise if they did for national security. 

Something to consider, if the information inside of the secure folders ever was anywhere on your omputer before securing, then it can be found. Encryption would be a waste of time. 

For example if you look at illegal porn online and you decided to keep a copy of it in a secure folder, when you originally looked at it, a copy of it and the links to it went into your cache and other locations on your computer.


----------



## koala (Mar 27, 2005)

From the WinRar Help file:


> If you set "Encrypt file names" option, WinRAR will encrypt not only file data, but all other sensitive archive areas like file names, sizes, attributes, comments and other blocks, so it provides a higher security level. Without a password it is impossible to view even the list of files in archive encrypted with this option.
> 
> Remember that if you lose your password, you will be unable to retrieve the encrypted files, not even the WinRAR author is able to extract encrypted files.


Sorry, I didn't realise you were already using encryption. *Unencrypted* passwords are easy to crack, given the right software.

Also, WinRar and other similar programs use temp files when encrypting, so you usually need to securely wipe the free hard drive space after creating the archive for total security, as the 'deleted' temp files are still recoverable using data recovery software.

The features list for 3.8 says *"New 'Wipe Temporary Files' option in 'Settings/Security' dialog provides more secure, though slower, way to delete temporary WinRAR files."* So as long as you enable this setting, you don't need to worry about wiping the free hard drive space. I'm using WinRar 3.6 which doesn't have this feature.


----------



## truthseeker (Jan 26, 2008)

sobeit said:


> just about anything can be cracked - it depends how much that information inside it is really wanted.
> 
> Always assume the government has a back door to any encryption if you have anything illegal on your computer. I would not be surpise if they did for national security.
> 
> ...


Wow, what an imagination you have. I laughed for 5 minutes reading your post  You really have a sinister mind, indicating you are guilty of the things you mention 

I only want to create private documents folders which contain my business reports etc. Nothing more than that lol.

You seem to have a lot to say about how "easy" it is to break a Winrar encryption. So I am going to upload a simple text file to you encrypted with Winrar, that contains a word. And then I want you to tell me the word inside the text file. That will prove your point. But if you cannot decrypt it, or worse, refuse my challenge, then your words are only empty words without action.

How can I send the file to you?


----------



## truthseeker (Jan 26, 2008)

koala said:


> From the WinRar Help file:
> 
> 
> Sorry, I didn't realise you were already using encryption. *Unencrypted* passwords are easy to crack, given the right software.
> ...


Why are you using 3.6 when 3.8 Beta is out? Don't you realise that once you pay for a licence, you get access to all future releases as well? I got a licence for 3.71, and then installed 3.8, and my licence key works no problem with future releases too.

So why don't you install 3.8?


----------



## koala (Mar 27, 2005)

Haven't got round to it yet. I don't use it very often.


----------



## sobeit (Nov 11, 2007)

truthseeker said:


> Wow, what an imagination you have. I laughed for 5 minutes reading your post  You really have a sinister mind, indicating you are guilty of the things you mention
> 
> I only want to create private documents folders which contain my business reports etc. Nothing more than that lol.
> 
> ...


glad you had a good laugh over the truth. You really need to change your name if you think it was a joke. But as you said in another post, you are still a kid so you still have a lot to learn. 

Any thing you delete from your computer leaves a trace. Anything you do online leaves a copy on your computer in specific folders, in logs and such. All of that is fact not a joke. If its on your computer before it was encryption then it will be found. 

As far as backdoors to encryption programs for the government - that is something we would never really know. Read the following article from 2001. 

http://www.wired.com/politics/law/news/2001/09/46816

As far as sending me a file, nope, no way, you cannot be trusted not to send some sort of virus or anything. Besides I am not into decryption.


----------



## koala (Mar 27, 2005)

Question answered. Thread closed.


----------

