At 02:23 AM 6/24/2005, you wrote: >Date: Tue, 21 Jun 2005 14:58:16 -0500 >From: Anna Summers <[log in to unmask]> >Subject: Re: Password XP > > >---I read the information at the site (is this a site selling a particular >encryption program?), and I am still confused. No, he is explaining the security levels of different bit encryption levels. >Is it saying that selecting 256-bit AES encryption in WinZip is meaningless >unless you use a password 32 characters long? No, he is simply saying that the time it takes to overcome an encrypted key ( they are not passwords) grows exponentially, as you increase the length, and randomness, of the characters in the key. >Is it saying that WinZip 256-bit AES encryption (using a 12-char password) >can be deciphered WITHOUT the password, by de-crypting the encryption, in 4 >hours? no ... and it's not a password..it's a key >What role do my hardware and software firewalls play in this? If Zone Alarm >prevents anything being sent from my computer without my knowlege and >permission, how could someone get the information that was on my computer in >the first place? Your risk from hackers will come from dangerous web sites that try to run code on your computer, Trojan horses that hide on your computer, and allow others to access your files, spywhere that watches you and reports back, or changes to home pages, bookmarks, etc. Point to point file access programs, like Bit Torrent which leaves you vulnerable to others who may have access to your files, running a FTP server, web server, anything that invites people in and allows them to run scripts or programs. If you are using a reputable anti virus scanner, that is regular updated, is running in the background, and which does full (every file) scans weekly. And You have a hardware router with it's own Firewall And You have a software Firewall like ZoneAlarm that warns you when programs attempt to access the Internet And you are using a Spywhere program that runs in the background.... like Spy Sweeper,... or Adaware or Spybot and are manually updating and running them weekly And You take prudent file sharing precautions ... like turning off file sharing on sensitive folders, or volumes that don't need to be shared. And You aren't doing anything like running a web server, ftp site, allowing remote access, or any kind of point to point file sharing, unless you REALLY understand the risks. And You keep up weekly with all of Microsoft critical updates If you are doing all this then you have no risk from online attack. However, if someone has physical access to your computer then you may be at risk in ways you haven't thought about. You say nobody, but you, has access to your computer OK... but suppose somebody stole it. What would they have access to, what kind of damage could they do to you. If you have zipped up your sensitive files, and 256 AES encrypted them... AND you haven't left temp files, with the data on them, or copies of them scattered around... And you have used a 8 or 12 character password, then you are fine. No one, no where,will, at least with todays hardware, be able to crack the key. However, you are thinking about this wrong. A password is just that, a group of characters that once presented, allow access to whatever. A gate keeper. But an encrypted key is <part of the code> of the file itself. Unless the key is incorporated in the file, then the file is worthless. A key can be in the form of group of characters that you present, like Winzip, ...or better, in a tiny file containing randomly generated characters to the total permitted length of the encryption you are using. A key file is far better then a 8, 12, 16, 20 or bigger group of characters that you input. These keys are made by the program that is encrypting the data. To open the file you need the key. Nobody but "Data" could remember a 56, or greater, randomly generated key so you have a file that you keep off your computer on some other media. The difference with the key is that you don't open a particular file, you open up a virtual drive. It is a single file, but the computer will see it as a volume. Everything you do with a normal volume you can do with this one. But everything you put on the volume becomes encrypted. Winzip uses real encryption but with a password type interface. Nothing wrong with that or your 8.. was it? character password. I have read that a computer club, using all of it's computers in a cluster, was able to crack a 16 character DES key in about 24 hours. DES is a bit old for todays hardware, however, that is a lot of computers, working flat out, for 24 hours. DES3, Blowfish, and AES is a whole different level of encryption. Not even the CIA, using super computers could crack a full length key, in any kind of reasonable time frame. This is why law enforcement doesn't like encryption, and why they have always asked, at least in the US, for some kind of back door, which kind of defeats the purpose of encryption. When evaluating your security, look to the weakest link. If you have things set up right the weak points are usually the single password, that accesses other keys, and passwords, and your trust in the manufacturer of the software of the encryption program you are using. I trust Winzip as a manufacturer. However, I will be happier with them when they get around to having a AES256 self extracting program. The short answer to all this is. Stop worrying... your fine. Rode The NOSPIN Group http://www.freepctech.com/rode/ >Thanks for the help - I feel like dummy about this, >AnnaSummers--- PCSOFT's List Owner's: Bob Wright<[log in to unmask]> Drew Dunn<[log in to unmask]>