Certain ZIP and ARJ archives can be unlocked and decrypted in just minutes, provided that you have at least one unprotected file from that archive at your discretion. It does not matter how long and complex the password is! If you have a file from the encrypted ZIP archive in your hands, the whole archive can be usually unlocked in minutes by applying the known-plaintext attack. Similar ARJ archives are unlocked instantly. Fast recovery available only in case of "classical" encryption, not AES.
We obtained a sample of 15 encrypted files that were sent by insecure email and were able to recover the passwords for 93% (14/15) of the files using commercial password recovery tools. Thirteen of those 14 files (93%) had sensitive health information in them. Therefore, in total 13/15 files were recovered and had PHI (87%). Since we were able to recover passwords using off-the-shelf tools, then it would be quite easy for an unsophisticated adversary to also do so. This result is consistent with previous research showing that health care professionals choose weak passwords to access patient data when there are no restrictions on password strength .
More secure systems store each password in a cryptographically protected form, so access to the actual password will still be difficult for a snooper who gains internal access to the system, while validation of user access attempts remains possible. The most secure don't store passwords at all, but a one-way derivation, such as a polynomial, modulus, or an advanced hash function. Roger Needham invented the now-common approach of storing only a "hashed" form of the plaintext password. When a user types in a password on such a system, the password handling software runs through a cryptographic hash algorithm, and if the hash value generated from the user's entry matches the hash stored in the password database, the user is permitted access. The hash value is created by applying a cryptographic hash function to a string consisting of the submitted password and, in many implementations, another value known as a salt. A salt prevents attackers from easily building a list of hash values for common passwords and prevents password cracking efforts from scaling across all users. MD5 and SHA1 are frequently used cryptographic hash functions, but they are not recommended for password hashing unless they are used as part of a larger construction such as in PBKDF2. 2b1af7f3a8