How ZIP File Encryption Works (And When It's Actually Secure)

ZIP files are ubiquitous, and most modern archive tools offer a "protect with password" option. But ZIP encryption has a troubled history — the original ZipCrypto algorithm from the 1990s was so weak it was crackable with modern hardware in minutes. The current standard is much better.

ZipCrypto (Legacy — Avoid This)

ZipCrypto was the original ZIP encryption algorithm, introduced in the early 1990s. It used a stream cipher with a 96-bit key that was trivially crackable using known-plaintext attacks. If an attacker knows (or can guess) even a small portion of the plaintext inside the archive, they can recover the key and decrypt the entire ZIP.

Never use ZipCrypto for sensitive files. If your tool asks you to "use ZIP 2.0 encryption", decline.

AES-256 ZIP Encryption (WinZip Standard — Use This)

The WinZip AES extension (standardised in 2003, widely supported today) uses AES-256 with PBKDF2 key derivation and HMAC-SHA1 authentication. This is genuinely strong encryption. 7-Zip, WinZip, WinRAR, and macOS all support AES-256 ZIP encryption.

When creating a password-protected ZIP, look for an option to select AES-256 rather than the legacy "ZipCrypto" or "Traditional PKZIP" algorithm.

Important Caveat: File Names Aren't Encrypted

A critical subtlety: the file names inside a ZIP are stored in the central directory, which is typically not encrypted even when the contents are. An attacker who has your ZIP file can see the names of all files inside — just not their contents. If filenames are sensitive (e.g. "Q3-acquisition-target.docx"), use 7z format with full archive encryption, which encrypts file names as well.

ZIP Encryption and File Sharing

When uploading a large bundle of files to TiniDrop, zipping them with AES-256 encryption before upload gives you end-to-end protection: the contents are secure both in transit (TLS) and at rest (file-level encryption), and recipients need the password to access anything.