Assistance Required Please...........................

[Dave]

Hi Guys,

I have 2 favours to ask, the first is that I am looking for a free program
that will retrieve a password from a WinZip file, I pass-worded it about 2
years ago and wrote the password down in little book I have, of course in
the meantime I have lost the book, and really need the information that is
in the zip file. I have had the house upside down looking for this damn book
but can't find it anywhere.

Ok second favour, I am also looking for a free program that will allow me to
autorun a cd once I have made one up. I have a load of stuff that I am gonna
put on Cd's but I want to have them autorun if that's possible.

I really do appreciate your help guys.

Many many thanx for listening.

Dave.

 

[Alan]

Hi Guys,

I have 2 favours to ask, the first is that I am looking for a free
program that will retrieve a password from a WinZip file, I
pass-worded it about 2 years ago and wrote the password down in
little book I have, of course in the meantime I have lost the book,
and really need the information that is in the zip file. I have had
the house upside down looking for this damn book but can't find it
anywhere.

Ok second favour, I am also looking for a free program that will
allow me to autorun a cd once I have made one up. I have a load of
stuff that I am gonna put on Cd's but I want to have them autorun if
that's possible.

Cracking zip passwords can take quite a long time if the password is a
long one. The only "crackers" I know of use a brute force method or
dictionary-style attack. There are $$$ services that will do it, but I
don't know of any freeware per se, although there are crippled programs
that are limited to a certain number of characters. You might have some
luck at
http://www.password-crackers.com/crack.html

The autorun facility is not difficult. It's simple if you want to run a
program, a bit more complex to open an HTML file say - but all
straightforward. Try Google search for "autorun cd freeware" (without "
marks) and you'll find lots of info/freeware links.

 

[Blinky the Shark]

Dave wrote:

Cracking zip passwords can take quite a long time if the password is a
long one. The only "crackers" I know of use a brute force method or

For the record, I believe WinZip passwords are limited to four
characters.

 

[Alan]

For the record, I believe WinZip passwords are limited to four
characters.

Had no idea this was the case. That's a pretty trivial exercise to crack
them then. There's only 2^32 or 4,294,967,296 possibilities. Seems a
largely pointless feature. I'm pretty sure other zip archivers can
handle 12 (or more) characters.

 

[REMbranded]

Had no idea this was the case. That's a pretty trivial exercise to crack
them then. There's only 2^32 or 4,294,967,296 possibilities. Seems a
largely pointless feature. I'm pretty sure other zip archivers can
handle 12 (or more) characters.

4 chars isn't a strong password, but I see 47 main keyboard keys that
can be used, each having 2 values. That's 94^4, or 78 million
possibilities before figuring out just how many high ascii characters
Windows can make: ê,ë,è,ï, etc. and adding them to the 94. DOS
can use 127 high ascii characters, but I don't think Windows does them
all.

Just guessing 200 possible characters that are available for the 4
letter phrase, with the possibility of repetition for each character:

200*200*200*200 = 1.6 billion possible phrases.

You could use any of the 200 choices for the first character, the
second character, etc. The way to figure it is by multiplying all.

Say it took all 200 to figure the first character was ², and it took
all 200 to figure the second character was ², and the third and
fourth. That's 200^4.

If you knew no characters were repeated it would be:

200*199*198*197 = ~1.55 billion.

200 choices for the first, 199 for the second, etc.

Sorry, the Sadistics course is coming back on me like a bad tuna

 

[Alan]

4 chars isn't a strong password, but I see 47 main keyboard keys that
can be used, each having 2 values. That's 94^4, or 78 million
possibilities before figuring out just how many high ascii characters
Windows can make: ê,ë,è,ï, etc. and adding them to the 94. DOS
can use 127 high ascii characters, but I don't think Windows does them
all.

Just guessing 200 possible characters that are available for the 4
letter phrase, with the possibility of repetition for each character:

200*200*200*200 = 1.6 billion possible phrases.

You could use any of the 200 choices for the first character, the
second character, etc. The way to figure it is by multiplying all.

Say it took all 200 to figure the first character was ², and it took
all 200 to figure the second character was ², and the third and
fourth. That's 200^4.

I assumed all possible (256) byte values might be accepted as a
"character", just to get the worst possible scenario. For a brute force
attack, the 4.3 billion possible 4-byte values is not much of a task for
even a 10 y.o. desktop. That's why I commented on the weakness of such a
limitation.

If you knew no characters were repeated it would be:

200*199*198*197 = ~1.55 billion.

200 choices for the first, 199 for the second, etc.

Sorry, the Sadistics course is coming back on me like a bad tuna

LOL! I only liked the subject when I was getting paid to suffer it.

 

[Blinky the Shark]

4 chars isn't a strong password, but I see 47 main keyboard keys that
can be used, each having 2 values. That's 94^4, or 78 million
possibilities before figuring out just how many high ascii characters
Windows can make: ê,ë,è,ï, etc. and adding them to the 94. DOS
can use 127 high ascii characters, but I don't think Windows does them
all.

Did some digging. Looks like the 4-char pwd limit has been increased:

http://www.winzip.com/aes_info.htm#encryption

Don't know what characters are allowed.

 

[Blinky the Shark]

I assumed all possible (256) byte values might be accepted as a
"character", just to get the worst possible scenario. For a brute
force attack, the 4.3 billion possible 4-byte values is not much of a
task for even a 10 y.o. desktop. That's why I commented on the
weakness of such a limitation.

Y'know what? I *think* that you were (but notice my tense) limited to
number characters. I could swear that the prompt for "save encrypted"
said something like "enter a number up to 9999". It seems like I
remember being surprised by that huge limitation, in an otherwise very
well done program. I hope I'm not thinking of another program.

But see my post to REMbranded, just now, with newer information.

 

[Blinky the Shark]

If the algorithm is sound and the passphrase can be up to 64
characters it will be a tough nut to crack.

I thought I saw seven. 64 is better.

I get an overflow error on my TI-83 with 200^64.

As far as limiting the original to numerals only in a 4 character pass
phrase, that is really weak with 10,000 possibilities.

I know.

 

[Uncas]

Hi Guys,

I have 2 favours to ask, the first is that I am looking for a free program
that will retrieve a password from a WinZip file,

<Snip>

PicoZip Recovery Tool might do the trick for issue #1:
http://www.picozip.com/prt/
HTH,
Uncas

 

[REMbranded]

Did some digging. Looks like the 4-char pwd limit has been increased:

If the algorithm is sound and the passphrase can be up to 64
characters it will be a tough nut to crack.

Of course, if the user only used a few characters and the brute
program starts low and works its way up it might crack it within a
reasonable time. Throw in a high ascii character or two and it might
be awhile.

I get an overflow error on my TI-83 with 200^64.

As far as limiting the original to numerals only in a 4 character pass
phrase, that is really weak with 10,000 possibilities.

 

[Alan]

I get an overflow error on my TI-83 with 200^64.

Won't it automatically drop back to scientific notation when it runs out
of place holders? Windows calculator gives around 1.8 x 10^147, give or
take a few

 

[REMbranded]

Won't it automatically drop back to scientific notation when it runs out
of place holders? Windows calculator gives around 1.8 x 10^147, give or
take a few

200^43 seems to be the limit at 8.79E104

 

[REMbranded]

I thought I saw seven. 64 is better.

Having too much time on my hands I downloaded Winzip 8.1, and it
allows for 100 characters in the passphrase. I was thinking that this
would provide a reasonable deal of security, until I tried one of the
better password cracking utilities.

The utility claims 16 million pass phrases per second on a 1 gigahertz
processor. I don't doubt that. I was getting 10 million in 4 seconds
with my 500 mhz with other programs running. This was a simple brute
force attack not related to algorithm weaknesses.

I tried a couple of other password programs, but they were dog slow
and didn't allow for high ascii characters. I was more curious as to
what a good password recovery program could do.

It was enough to make me really wonder if passphrase security via huge
numbers of possibilities is all that it's cracked up to be. That was
some sleek and efficient software. If combined with the super fast
processors available today and a bit of patience I think it can crack
any pass phrase in a relatively short amount of time. Relative is to
the "Not in our lifetime," that was said of PGP a few short years ago
in the 133mhz days, especially if the pass phrase is short and\or
weak. A short or weak phrase can be cracked in less than 1 second.
The fact that you could have used a complex pass phrase doesn't help
at all. It starts low, seeking the weakest link, a lazy human who
created the phrase.

I suppose the point is that it is better to have no sense of security
than to have a false one. Both hardware and software have made great
advances over the last few years. What you might consider secure,
Scramdisk, Encryption For the Masses, PGP, archiver pass phrases, etc.
depend first on the length and then on the imagination to create a
phrase that can withstand a brute force attack to a reasonable degree.

I was truly stunned at the efficiency this shareware program
possesses. I did not find any comparable freeware programs.

It is worth thinking over if you think that you are secured by pass
phrases in any program.

 

[Gordon]

Having too much time on my hands I downloaded Winzip 8.1, and it
allows for 100 characters in the passphrase. I was thinking that this
would provide a reasonable deal of security, until I tried one of the
better password cracking utilities.

The utility claims 16 million pass phrases per second on a 1 gigahertz
processor. I don't doubt that. I was getting 10 million in 4 seconds
with my 500 mhz with other programs running. This was a simple brute
force attack not related to algorithm weaknesses.

It was enough to make me really wonder if passphrase security via huge
numbers of possibilities is all that it's cracked up to be. That was
some sleek and efficient software. If combined with the super fast
processors available today and a bit of patience I think it can crack
any pass phrase in a relatively short amount of time. Relative is to
the "Not in our lifetime," that was said of PGP a few short years ago
in the 133mhz days, especially if the pass phrase is short and\or
weak. A short or weak phrase can be cracked in less than 1 second.
The fact that you could have used a complex pass phrase doesn't help
at all. It starts low, seeking the weakest link, a lazy human who
created the phrase.

100 Character pass phrase. Take 26 lower case + 26 upper case + 10
numbers + 32 punction marks = 94. Throw in a few foreign accented
characters for luck and call it 100 possible characters in a random
passphrase that is 100 characters long. Now stick factorial 100
(100x99x98x97x96....) into calculator. Even factorial 50 isn't crackable
in your lifetime with >current< technology - it's a number with 64 zeros
after it (Factorial 100 has 157 zeros after it).

Best possible pass phrase if you're going to use winzip is an ASCII file
of random garbage. Just don't lose the file.

Regards
Gordon

 

[Blinky the Shark]

allows for 100 characters in the passphrase. I was thinking that this

Yow. Nico's been busy.

I was truly stunned at the efficiency this shareware program
possesses. I did not find any comparable freeware programs.

Jesus, REM...do the math. You're leaving us in suspenders. How long
would it have taken to crack your 100-char password?

 

[REMbranded]

Blinky the Shark <[email protected]> wrote:

(e-mail address removed) wrote:

Jesus, REM...do the math. You're leaving us in suspenders. How long
would it have taken to crack your 100-char password?

The odds grow exponentially with each character used in the
passphrase. I doubt most people use the full pass phrase length though
because they have to remember it, unless they paste in garbage as
Gordon suggested and use the full 100 characters.

I would figure the possibilities as 100^200, or 1E2000.

Assuming the attack gets 1 trillion (1E12) per day...

At worst case, 166.6 days, assuming I got the decimals right.

A 1 gigahertz processor is fairly slow by todays standards and the
real number per day is 1,382,400,000,000 the program can assert at
this speed. (16,000,000 per second).

It wasn't long ago this would have been impossible. Factor in a top of
the line processors and distributed computing and it could fall really
quickly.

 

[REMbranded]

<gordondarling@no*spam.lycos.co.uk> wrote:

100 Character pass phrase. Take 26 lower case + 26 upper case + 10
numbers + 32 punction marks = 94. Throw in a few foreign accented
characters for luck and call it 100 possible characters in a random
passphrase that is 100 characters long. Now stick factorial 100
(100x99x98x97x96....) into calculator. Even factorial 50 isn't crackable
in your lifetime with >current< technology - it's a number with 64 zeros
after it (Factorial 100 has 157 zeros after it).

The attack is 1E12 per day though...

Check my math in the other message. I was figuring the possibilities
as 100^200. I'm not sure how many high ascii characters can be
represented in Windows, but I don't think it does all of them, and
many of the first 31 low ascii characters can't be typed. I used 200
total characters as a guesstimation.

The factorial isn't used because the same character can be used
multiple times in the pass phrase. If you knew that no character was
repeated the factorial would work.

Way OT, but interesting.