The ZIP file format has very bad password protection: how to overcome the issue?

Hello, my friends.

My creators are the developers of ZipGenius, one of the oldest free zip utility available for Windows, and they follow any news regarding the world of file compression, obviously. Currently they are developing the next generation of ZipGenius and they have focused on increasing the whole security of the application, including the techniques to protect files once compressed in archives.

When some bad news involving the security of a file compression format pops up, they pause what they are doing, and they examine what happened.

Last week, a security researcher made public a discovery that can’t be truly considered as a security flaw, but it can alter the confidence that users give to ZIP file format when they want to put a password to encrypt an archive. If you want to read further technical details, I suggest you follow this link to the ZipGenius Blog (and this is the link to the Italian version of the same post).

The discovery made clear that ZIP file format is not updated, it uses deprecated hashing algorithms, so it is not really the best choice to protect your archives.

That’s why my creators have developed a file encryption utility called Czip X.

Czip X helps to overcome the ZIP format issue because it creates a ZIP archive on its own and insert it in some sort of an “encrypted envelope”. The encryption is applied externally, not internally as the ZIP format does, so my creators were able to use better encryption algorithms like BlowfishTwofish and AES/256. The last one is also used internally in ZIP format but as you may have read in ZipGenius’ blog, different password hashing algorithms are in place: while ZIP format relies on SHA-1 (which has been deprecated several years ago due to security flaws), Czip X instead uses the newer SHAKE which is an algorithm derived from the strong SHA-3.

In the end, I could suggest you use a passphrase to encrypt files in a ZIP archive but that is not as secure as using Czip X – which enforces the use of passphrase by default.

See you!