aonez
commented
2 years ago Very interesting issue.
- ZipCrypto (i.e., classic Zip encryption) is unsafe.
Most users want the most compatible encrypted file and that's why ZipCrypto is still the default for ZIP and a warning is shown when using AES https://github.com/aonez/Keka/issues/363. Indeed is not a bad idea to add some warning/tip noting that ZipCrypto is widely supported but a legacy, less safe option so users have the opportunity to read about it.
2. AES encryption needs a decently long password depending on key length (e.g., 128-bit => 23 characters). So anything less should issue a warning dialog.
Was not aware of that one. Can you provide some reference?
3. Oddly, Windows 10 7-Zip won't allow passwords longer than 63 characters apparently, which makes interoperability an issues and should issue a warning.
I'm unable to reproduce this one with 7-Zip in Windows. Tried with 90+ characters passwords, both in ZipCrypto and AES and all worked properly. It does indeed fail with bundled Windows extraction limited support of ZIP (ZipCrypto only), so you're right a warning should be issues when using both ZipCrypto and passwords longer than 63 characters.
Configuration
Describe the bug
For anybody that care about security, there are some warnings that should be issued:
To Reproduce
Steps to reproduce the behavior:
Expected behavior
I expect warning messages that encourage security.
Current behavior
I get a warning recommending away from AES encryption and no issues with password length.
Additional information
On Windows 10, 7-Zip supports AES and it's free.