LostMyPass
    LostMyPassPro
    Start Recovery
    Modern strong encryption

    WinZip AES-256 — Hashcat Mode 13600

    TL;DR — WinZip 9.0 (2003) introduced AES-128 and AES-256 encryption for ZIP archives, formalised as the AE-1 and AE-2 specifications. AE-2 (the modern default) uses AES-256 in CTR mode with PBKDF2-SHA1 (1000 iterations). The cipher is sound; recovery feasibility depends entirely on password complexity, similar to modern Office documents.

    AE-1 vs AE-2

    WinZip's original AES extension (AE-1) included a CRC32 of the plaintext in the encrypted block. This was discovered to leak information; AE-2 (still AES-256 in CTR mode) zeroes out the CRC field, plugging the leak.

    Hashcat mode 13600 covers both AE-1 and AE-2 — the cryptographic core is identical. The difference is in the verification path.

    PBKDF2 key derivation

    WinZip AES uses PBKDF2-HMAC-SHA1 with 1000 iterations to derive the AES-256 key from the password. By 2026 standards, 1000 iterations is low (NIST SP 800-132 suggests 100,000+).

    Per-password GPU verification is fast: roughly 100,000+ candidates per second on a high-end GPU. This means brute-force throughput is high — the binding constraint is password search space, not KDF cost.

    Recovery realism

    Same as any modern strong-cipher format: short or predictable passwords are recoverable; high-entropy random passwords typically aren't.

    We don't publish specific success rates because they vary so much with password type. The free check phase reveals which side of the line your archive is on.

    Identification

    WinZip AES uses extra fields in the local file header (general-purpose flag bit 6 + AES extra field with vendor ID 'AE'). Tools like 7-Zip and unzip -v print 'AES-256' for these entries.

    Frequently Asked Questions

    Is mode 13600 categorically harder than mode 17200?
    Yes. Mode 13600 uses AES-256 with no known practical attacks. Mode 17200 uses ZipCrypto with structural weaknesses. Same archive container, very different security.
    Why is PBKDF2 only 1000 iterations?
    WinZip set this in 2003 when 1000 was reasonable. Updating it would break backward compatibility. Modern alternatives (7-Zip, RAR5) use higher iteration counts.
    Can I tell from inspection which mode my ZIP uses?
    Yes. unzip -v or 7-Zip prints 'AES-256' for mode 13600 vs 'ZipCrypto' for mode 17200. The general-purpose flag bit 6 also disambiguates.
    Is AES-256 ZIP secure long-term?
    AES-256 is considered quantum-resistant for confidentiality. The weak point is the low-iteration PBKDF2 — for owner recovery, that means 'feasible if password is weak; infeasible if password is strong'.
    What about WinZip 26+ stronger options?
    Modern WinZip allows higher PBKDF2 iteration counts via advanced settings, but the default for compatibility remains 1000.

    Related references

    m17200Structurally weak cipherm11600Modern strongm13000Modern strong

    Have a file in this category?

    Start with a free analysis. The encryption type is detected automatically; a free check runs through fast techniques before any paid attempt. You only pay if recovery actually works.

    Run a free analysis