ZIPHACK.TXT

ZIPHACK V 1.0   Release date April 4, 1998

Please read the follow, then refer to Manual.txt 

Thank you for downloading this program! So what is Ziphack?
 Ziphack is a simple program to retrieve and unzip a password zipped
 file that was archived using Pkzip. Ill be the first to admit that
 there aren't many reasons to need to do this, but I forgot my
 password one time and maybe you have too. I will tell you right now
 that this program  is mostly useless. Read further to find out why
 it works in theory only.

This program was more or less written as an experiment one day, to teach
myself about - 1. the combinations of letters/numbers that for words,
                   passwords, and numerical systems
               2. My personal discovery of
                         THE WORST AND HARDEST WAY TO FIND A PASSWORD

Further more I've distributed this program onto the internet to teach
you a few things

    1. Why do companies and other things require you to have a longer
    password? Have you every tried to have a password of 2 letters?
    Did the operator or whoever respond by asking for a longer password?
     
The mathematical theories behind the counting system used by this
program are very interesting . Programmers refer to PROGRAM.TXT later


Basic theory behind Ziphack :

Before you get too excited about breaking into your friend's zip files,
you must first understand a little bit about Ziphack. First of all,
it will take an extremely long time to work depending on 2 things:

                      A: How fast is your computer
                          B: How many letters is the password
                             c: How many files in the Zip   
A. This is very important. A faster computer means faster cracking time

B. This is perhaps the most important of all.  The more combinations
   there are to try the longer the program will take to work. And when
   a password has one more extra letter, no big deal huh? Well the
   amount of combinations  a password can contain depends on the length
   of a password, and the and the number of possible characters used.
   For simplicity, assume that a password can only contain the letters
   a to z  (all lower case). This means 26 possible characters in any
   place of the password. Simply put, the person uses a letter from
   either a to z for each character of the password.
      
              Example ==>          secretpass
                                                       
 Now the length of this password is  10.  But lets say thats all you know.
 So that would make the number of  possibilities 26 to the X power.
 X=length of password.  this is because for each character, there are
 26 possibilities  or better seen as

                     26* 26* 26* 26* 26* 26* 26* 26* 26* 26

On my 200 Mhz Pentium MMX, It takes about .1 seconds average to try one password
for a Zip file So ideally, it would take 2.6 seconds in worst case scenario
for  a  1 character password. ( z is worst case, it's the last to be tried)
If you do the math our example password would take roughly 450,000 years
worst case, to break into.  (zzzzzzzzzz is worst case for 10 letters )
 Jeeze you say! I don't have that kind of time! We'll, it gets worse pal.
 Most of the time, you have no idea what the length of the password is.
 So that means this program tries all possible sizes as well.
 All passwords of size 1, then size 2, size 3, ect.

 that makes our equation even worse. now you have to add the values
        26+  26*26  +  26*26*26   +  26*26*26*26
         |     |          |                |
      Size 1   |          |                |
              Size 2      |                |
                         Size 3            |
                                         Size 4              

                               and so on till 26 to the tenth power

             
  So what is our final worst case search time on a Pentium 200 MMX
  if the password is 10 letters and we don't know it?

               Drum roll please.................................
                               about      465,500 years to hack

     ( Note: years have been rounded  a little, but I don't think it
     really makes a difference, unless  you plan to live that long! )
        

             Now I mentioned earlier that is program is basically worthless
      in real life. If you haven't got that by now, than time must have no
      real meaning to you or I'm amazed that you new how to open this
      document.  But it is fun to try this program for yourself and see
      the results.  If someone passworded a zip file with 4 letters, well
      it should take a little less than a week in worse case.  What lesson
      should you learn from this? If you want your information private,
      use longer passwords. This is especially true for phone services that
      you set passwords for. Incidentally, AT&T set up a password system
      for certain 800 numbers to keep people from getting calls they don't
      want.  I discovered such a number one day when I called a wrong number.
      But get this- The instant you hit a wrong number of the password, you
      got an error message from the automated system stating -"That is not
      the correct password". Problem with this?

I simply called back, and tried every number 0-9 until I didn't get the
error message.  That meant I had letter (Number) 1 of the password. I then
repeated the process until I had all 4 numbers. It took about 15 minutes.
Sound like a flaw? You bet it was, and I imagine I wasn't the only one to
discover it. For a while the system stayed in place, but since then almost
every phone password system waits until you are done entering every number
to tell you if you are right or wrong, thus leaving you without a clue
if your close or not. Why am I telling you this? Well, it's not to encourage
you to go find one of these systems, and its not to tell you  the reader
how much free time I really have, but so that you learn from AT&T's mistake.
If AT&T could be that dumb, then so can you or me! So if you are a
programmer, and write a password protection routine, know this :
Never give any clue as to how close the person is to the password,
Not the length of it, and certainly don't make AT&T's blunder!
Also , if you have an answering machine, and can customize your password,
I recomend useing a password of at least 3 numbers! 


What conclusions can be drawn from all of this?
 in the very near future your password will have to be longer.
 Not by much mind you, because of the exponential increasment of possibility.
 But consider this: 7 years ago 3 or 4 letters would have been enough
 for your password, back in the days of the 286 and 386, but now
 a new Pentium II 333Mhz would kill that password in nice timing!
 If you find this program useful, please let me know it! 
  Have phun! 
 

                                             ===>   Mr.Pibb
 
       Questions, Comments, Correct me? - MRFAKE@HOTMAIL.COM
    
