Any explanation of Why to not store passwords in plaintext and encrypt folder in zip archive (I guess U cant break pass?) Pls don’t be agressive!!
You can develop apps in a text editor. We don’t do it because we’ve got better tools. Text editor work but developer focused IDE’s work much better and are very convenient.
it may encrypt your password but using kdbx files are much more convenient, efficient, etc.
If your goal is to “self-host” a password manager, you might as well use Keepass + SyncThing.
- free software
- master password protected
- has organization and auto-fill features
- can sync across multiple devices
Usually the downfall of rolling your own password manager is it’s easier to make mistakes and accidentally lock yourself out. Or if you don’t keep backups/replicas then you could easily lose your passwords.
Or self host Bitwarden and you don’t have to bother with syncing the file around.
In many unzip utilities, they use temp files that you wouldn’t be paying attention to. These temp files will contain your credentials and you won’t know where they are or if they got deleted.
And even if they’re deleted by the archive program, it’s likely a normal deletion, and not a secure delete where the original data is overwritten with random data before deleting the entry in the file system, which could be potentially recovered.
Very bad, because the usability of such a scheme would be a nightmare. If you have to unzip the files every time you need a password, that’d be a huge burden. Not to mention that unzipping it all would leave the files there, unprotected, until you delete them again (if you remember deleting them in the first place). If you do leave the plaintext files around, and only encrypt & zip for backing up, that’s worse than just using the plaintext files in the backup too, because it gives you a false sense of security. You want to minimize the amount of time passwords are in the clear.
Just use a password manager like Bitwarden. Simpler, more practical, more secure.
When we wrote malware in labs in college one of the first places we looked was unemptied trash. This is almost certainly a pattern that’s going to leave your crap in trash in plaintext and even the dumbest script kiddie will find it the very first time you slip and something gets in your system.
Zip uses very bad encryption that is vulnerable to a known plaintext attack. Do not ever use PKZIP encryption for any purpose https://github.com/kimci86/bkcrack
Yeah zips have no mechanism to prevent brute forcing as far as I’m aware. You can attempt as many passwords as you want as frequently as you want without any sort of rate limit.
That’s not the issue. You can attempt as many passwords as you want in actually secure password managers as well. KeepassXC for instance IS secure, you can still brute force the password, but because of the hashing algorithm they use it’s extremely hard. With PKZIP if you know some of the words in the file, you can easily guess the password in just a few hours because the encryption algorithm it uses isn’t secure
Both are true. Brute forcing zips is also faster than brute forcing almost anything else. Other formats use key derivation functions like PBKDF2-SHA1 (hundreds of thousands of iterations of sha1) to slow down the calculation of the key from the password, but PKZIP does not do this. Brute forcing zips can be done at 10 billion passwords per second on a typical GPU, whereas rar/7z/keepass are only a few thousand per second.
Here’s an interesting research paper describing both the known plaintext attack and the standard brute force attack https://www.scitepress.org/Papers/2019/73605/73605.pdf
I used to get some documents sent in a password encrypted zip file, they regularly messed up the password, so i ended up just brute forcing them when i received them since it was easier and faster (usually like 15 seconds)
Not very relevant here since i knew roughly the length of the password and it was quite short, but i thought it was pretty funny
