Learn More
Resend Email
33
kiki
2y

Microsoft brute-forces password-protected archives in OneDrive.

“Microsoft will decrypt, open, and scan protected Zip archives uploaded to the company's cloud servers in search of potential computer threats. Security researcher Andrew Brandt recently discovered the issue while trying to share malware samples with other researchers through SharePoint.”

This is when I encrypt my archives, I use _very_ long passwords generated by Bitwarden. Like this: qkYdE5i@27yHTTj8YsMDKQ9^mo$j@!P^M4qA95Y5VqR*53otAMuMv$9sdxtF4HAuNdAYoW9RPVxucJ3

Good luck bruteforcing that, Microsoft!

https://techspot.com/news/...

random
Favorite
Ranter
Comments
  • 7
    2y
    Damn, I broke devrant again T_T
  • 2
    2y
    @kiki @dfox should fix the CSS.
  • 0
    2y
    Are the primes known for zip encryption or do they change? Wondering if MS has a backdoor.
  • 0
    2y
    @kiki you wrote that all over yourself...and on the topic why not just use pass protected rar instead. didn't find programs that can break that ( was searching one while ago... for a forgotten pass or something from the net ( I need that crack don't give me that protected rar... ) )
  • 6
    2y
    I have a couple of zip archives for which I forgotten the password and I wasn't able to brute-forcing them myself, maybe I could ask Microsoft to do it for me XD.
  • 5
    2y
    @We3D if you have a six digit password, the archive format alone won’t save you. It won’t matter if you use zip, rar or 7z. Archive is not your backend, you can’t rate limit or ban requests. Brute force remains a viable option in offline attacks. The only thing that can kinda-sorta save you is bcrypt/scrypt and other blowfish derivatives — they are very slow by design. But I never saw their common adoption in archiving data.
  • 2
    2y
    @kiki yep, but since Zip is MS archiver they know the encryption methods, the used spice and that may make it easier for them to decrypt even longer passes and when they don't know the used algorithm should be harder to crack it was my main point, it may not be rar but anything out of their control should make it even safer to upload on their servers =]
  • 1
    2y
    @We3D does 7zip fix this?
  • 2
    2y
    @Demolishun it should, even that is based on zip as long as M$ don't have access to the source should be safe enough ( while still follow @kiki's advice for longer pass too )
  • 1
    2y
    @We3D hmmm… I didn’t connect the dots on this one. Thanks
  • 3
    2y
    as usual: _anything_ that's stored in the cloud at any point in time should be considered "compromised"
  • 2
    2y
    @We3D isn't zip an open standard?
  • 0
    2y
    @iiii is it now. I just stay away by default where MS is involved ( and if my memory don't plays some tricks on me I think they are in the Zip case )... just to be on the safe side ;}
  • 7
    2y
    @Demolishun There are no primes involved - it is just good ole symmetric encryption.

    If you choose AES256, the bruteforceability solely relies on the password's entropy. So just autogenerate a password with 256 bits of entropy and Microsoft won't decrypt your archive simply because they technically can't.
devRant © 2021 Hexical Labs LLC
Privacy Policy  |  Terms of Service
Add Comment