Security News > 2022 > August > An encrypted ZIP file can have two correct passwords — here's why
Did you know it is possible for an encrypted ZIP file to have two correct passwords, with both producing the same outcome when the ZIP is extracted?
While the ZIP was encrypted with the longer password, using either password extracted the archive successfully.
When producing password-protected ZIP archives with AES-256 mode enabled, the ZIP format uses the PBKDF2 algorithm and hashes the password provided by the user, if the password is too long.
The fact that there are now two possible passwords to the same ZIP does not represent a security vulnerability, "As one still must know the original password in order to generate the hash of the password," the entry further explains.
For most users, creating a password-protected ZIP file with a choice of their password should be sufficient and that is all they would need to know.
Should you decide to get adventurous, this experiment provides a peek into one of the many mysteries surrounding encrypted ZIPs, like having two passwords to your guarded secret.