### Why so long to break 128-bit encryption?

• I read that 128-bit encryption takes millions of years to break. But if I encrypt a file using say winzip that uses 128-bit encryption but the password I use is only one character long (for example the character "A") why would it take you millions of years to break in and decrypt my file? Or does 128-bit encryption mean if my password is 128 bits long, then it would take you millions of years to break?

Count to 2^128 and then ask the question again.

• When encrypted data using a password, things go that way:

"128-bit encryption" means that the secret key is a sequence of 128 bits. It tells nothing about the password length or contents.

To break such a file, two possible paths: try all possible passwords until the right one is found, or try all possible secret keys until the right one is found. "Right one is found" means that "decryption works and produces something meaningful / expected.

There are 2128 = 340282366920938463463374607431768211456 possible keys of 128 bits; that's a lot and trying all of them will take millions of years. On the other hand, there are much fewer potential passwords because passwords are chosen by humans with human brains, and human brains are not good at making random choices; also, humans are lazy and will prefer short passwords (easier to remember, easier to type in). Trying all "potential" passwords, i.e. passwords which humans are likely to select, is called a dictionary attack. Any decent password cracking software will first try all possible very short passwords (i.e. 6 letters or less), then try "meaningful words" and derivative. A one-letter password would be cracked within a fraction of a second.