is exactly as hard to crack as a single file with a password as long as the lengths of those two passwords added together, correct? (Just making sure…)
No, it is easier. Essentially you know when you get the first half of the password correct. If you encrypt it with one password twice as long, they you have to find the whole password at once.
Think of it this way. Suppose you had a 5-digit password. There are 100,000 possible combinations (00000-99999).
So if you had two 5-digit passwords, it would take you a maximum of 200,000 attempts to brute-force them. If you had one 6-digit password, it would take you up to 1,000,000 attempts.
And it is also important to realise that repeating encryption does not make encryption harder to crack - in fact, in many cases it can expose weaknesses that an attacker can use to find the plaintext.
A trivial example: ROT-13 is a transposition cypher - A->N, B->O etc.
Apply ROT-13 twice to get A->A, B->B etc.
It is a silly example, but it illustrates a real truth.
For the OP, an issue is that your 1st stage zip file will not be compressed any further in the second zip, and so will be directly stored. This exposes the zip file headers to a plaintext style attack. You have also applied the same symmetric encryption twice. Stripping off the first lot of zip headers is pretty easy, and you can launch known plaintext attacks on the second set of zip file headers. Later zip versions that use AES encryption may be safer as AES uses a longer key, but it is still not a recommended approach.
Si
Of course, applying any half-decent encryption twice will not hurt security, since if it did, then the first thing an attacker would do is re-apply the encryption. It may, however, not help security any.
Doh. Duh. And Thanks.