Цитирую: For archives that use traditional encryption, ARCHPR recovery speed is about 15 million passwords per second (on Pentioum 4 CPU), and so the "practical limit" for brute-force attack is about 10 characters. In addition, the "known-plaintext" attack is available: in most cases, it doesn't recover the password, but allows to get the encryption keys, and the archive can be decrypted so you will not need the password to get in. This attack usually takes 10-15 minutes (and the time does not depend on the password length). Unfortunately, it is not always applicable.
Also, due to the weakness of WinZip (versions up to 8.0) implementation of ZIP encryption algorythm, guaranteed recovery is available for many WinZip archives (with 5 or more encrypted files). As for known-plaintext attack, ARCHPR finds the decryption keys, so the password don't even needed. This attack is also very fast and takes maximum a few hours (in most cases – 15-20 minutes).
RAR 2.9/3.x encryption is even better (see UnRAR sources for details)– recovery speed is extremely low, just a few passwords per second. So for such archives, brute-force attack is almost useless...
Весь популярный иностранный особенно коммерческий софт умышленно так устроен (к вопросу куда делся truecrypt). Так что остаётся только надеяться либо на челябинских суровых программистов, либо на опенсоурс.
[ZX]