[ LastBit Software Home Page ]   [ Help Index ]

Password Recovery Methods

We’ll describe different methods of password recovery in this article, along with their distinctive features, conditions under which they can be used, and their pros and cons.

Instant Password Extraction
"Fake" Password Creation
Reset the Password
Brute Force Attack
Dictionary Attack
Smart Force Attack (developed by LastBit)
Known Plain Text Attack
Guaranteed Recovery (developed by LastBit)
Express Recovery (developed by LastBit)
Password Variation
Automatic Mode (LastBit)

 

Instant Password Extraction

Sometimes, the password can be recovered instantly. This is only possible if the password protection is very poorly implemented. The example is MS Access. Any password for an MS Access document can be recovered instantly no matter how long it is.

Time Required: Instantly
What is Recovered: Original password
Guaranteed result? Yes (if this method is applicable)
Requisites/Limitations None
Passwords that can be recovered: Access, Outlook (short passwords), old versions of Word and Excel, French versions of Word and Excel
Pros This is the method of choice (if it is possible).
Cons Rarely possible
International/Localization issues N/A
Supported by the following LastBit software: Access Password, Word Password &
Excel Password

 

"Fake" Password Creation

Sometimes it is possible to create a “fake password”. It is different from the original password (and it usually looks quite odd), but it can be used instead of the original password. You can use it to remove the protection from the document or to change the existing password. Unfortunately, you can’t determine the original password this way (the only exception is the case when the password is very short and some additional conditions are met). If you have several documents protected with the same password, you’ll be able to use the same fake password to unlock all of them. The fake password is likely to contain very exotic character combinations and if you make a mistake typing it you won’t be able to use it. Therefore, fake passwords should be typed very accurately (better use the clipboard).

Time Required: Instantly
What is Recovered: "fake" password
Guaranteed result? Yes (if this method is applicable).
Requisites/Limitations None
Passwords that can be recovered Excel (workbook/worksheet protection passwords), Outlook (.pst file password)
Pros Instant no matter how long the original password is, the success is guaranteed. Often this method is the only method possible.
Cons The original password is not recovered and it can’t be helped.
International/Localization issues N/A
Supported by the following LastBit software:
Excel Password, Outlook Password

 

Reset the Password

Sometimes it is possible to modify the password protected document in such a way that the document becomes unlocked and the password is not required anymore (remove password). Another option is to modify the document so it will be possible to use a known password (reset the password to known one).

Time Required: Not much
What is Recovered: The ability to use the document
Guaranteed result? Yes (if the method if applicable)
Requisites/Limitations None
Passwords that can be recovered Word (protection password, password to modify), Excel (workbook/worksheet protection), VBA modules
Pros Fast no matter how long the password is
Cons The original password is not recovered. If there are several documents to recover, each of them must be processed individually.
International/Localization issues N/A
Supported by the following LastBit software: Word Password, Excel Password, VBA Password

 

Brute Force Attack

Brute Force Attack is the most widely known password cracking method. This attack simply tries to use every possible character combination as a password. To recover a one-character password it is enough to try 26 combinations (‘a’ to ‘z’). It is guaranteed that you will find the password.. but when? How long will it take? The two-character password will require 26*26=676 combinations. The number of possible combinations (and therefore required time) grows rapidly as the length of the password increases and this method quickly becomes useless. Do you ready to wait for two months while your 9-character password is cracked? What about one hundred years for an 11-character password? Besides the maximal length of the character set you should also specify the character set i.e. the list of characters that will be included in the combinations. The longer the character set is, the longer the required period of time is. Here is the problem: usually you have no idea of what characters are present in the password. On the one hand, you should specify all possible characters. On the other hand, this can slow things down very much. Unfortunately, there are no common ways to determine what character set to use. It is more a question of luck and intuition. The only thing I can recommend is to begin with trying short passwords using the full character set. Then you can increase the length of password simultaneously decreasing the character set to keep the required time good acceptable.

If the password is case sensitive (this is the most common situation), there is another problem with the case.

There are three options:

1) you can assume that the password was typed in lower case (this is most likely). In this case, the required time will stay the same but if the password contains upper case letters it will not be recovered.

2) you can try all combinations.

The password is guaranteed to be found, but the process slows down significantly.  A 7-character lower case password requires about 4 hours to be recovered but if you would like to try all combinations of upper case and lower case letters, it will require 23 days. 3) The third method is trade-off. Only the most probable combinations are taken into consideration, for example “password”, “PASSWORD” and “Password”. The complicated combinations like “pAssWOrD” are not. In this particular case the process slows down to one third of original speed but there is still a possibility to fail.

You can reduce the amount of time required using faster computers (only the CPU speed is important. The amount of RAM, the performance of the hard drive and other hardware don’t affect the brute force speed), using several computers, choosing the fastest password crackers or tuning the brute force parameters wisely and accurately.

You can use our Password Calculator software to estimate the time required for Brute Force Attack.

The table below shows the time required for Brute Force Attack depending on the password length and used character set. It is assumed that the attack is carried out on a single computer and the brute force speed is 500 000 passwords per second.

Length of the password Character set
lowercase letters lowercase letters and digits Both lowercase and uppercase letters all printable ASCII characters
< = 4 instant 2 min
5 instant 2 min 12 min 4 hours
6 10 min 72 min 10 hours 18 days
7 4 hours 43 hours 23 days 4 years
8 4 days 65 days 3 years 463 years
9 4 months 6 years 178 years 44530 years
10 You should have bought a password manager! :-)

 

Bear in mind that the time shown above is the worst possible time. Brute Force Attack tries all password combinations and you don’t know which one of them is correct. If you’re lucky enough, the first combination will succeed. If not, the correct combination will be tried last.

If you are not afraid of formulas: the required time is equal to (C^L) / S / N, where C is the length of the character set, L is the length of the password, S is the number of password checked per second, and N is the number of computers used in password recovery.

Important Note: our software is highly optimized and most of it works faster that than our competitors’ software. Nevertheless, the amount of time required grows rapidly as the length of the password increases and that renders Brute Force Attack useless for recovering long passwords. This is the fundamental problem. Our competitors’ software is not able to recover long passwords either. Fortunately, in many cases more efficient recovery methods can be applied such as Guaranteed Recovery.

Time Required: Very little in case of short passwords and absolutely unacceptable amount in case of long passwords.
What is Recovered: Original password
Guaranteed result? Yes (if the password satisfy the requirements and the required time is acceptable)
Requisites/Limitations The area of application is limited by the amount of time required.
Passwords that can be recovered: Any password
Pros Versatility; guaranteed result
Cons Much time required along with certain experience and understanding of the process
International/Localization issues If the password contains non-Latin characters, custom characters sets (with these characters included) are required to recover it.
Supported by the following LastBit software: Word Password, Excel Password, Zip Password, VBA Password, OneNote Password
, PowerPoint Password, WinPassword, PwlTool
Further reading: Password Calculator

 

Dictionary Attack

Dictionary Attack uses a dictionary. Password Crackers will try every word from the dictionary as a password. A good dictionary (also known as a word list) is more than just a dictionary, e.g. you will not find the word “qwerty” in the ordinary dictionary but it will surely be included into a good word list. Indeed, this combination of characters is commonly used as a password.

Dictionary Attack is usually quite fast. Noticeable delays are possible only if the dictionary is very large. However, the password can be recovered only in case it is present in the dictionary. The probability that this assumption is true is not, in fact, high. Nevertheless, since Dictionary Attack doesn’t take much time, it is recommended to try it before proceeding to the slow Brute Force Attack.

There is a variant of this method called Hybrid Dictionary Attack that significantly increases the probability of success. In this case, the password cracker checks all words in the dictionary along with its variations. These can be, for example, the same words with different digits appended to them. Hybrid Dictionary Attack is noticeably slower than Dictionary Attack (for example, if the variations include words with two digits appended to them, then the process is 100 times slower. In case of 4 digits appended, it is 10 000 times slower).

Time Required: Several minutes. If the dictionary is very large or in case of Hybrid Dictionary Attack the amount of time required can be much larger but it is still acceptable.
What is Recovered: Original password
Guaranteed result? No
Requisites/Limitations None
Passwords that can be recovered Any password
Pros Versatility, little amount of time required
Cons A small chance of success
International/Localization issues If the password is not an English word, then it is required to use the dictionary of the appropriate language. We recommend international users to use both English and national dictionary.
Supported by the following LastBit software:  Word Password, Excel Password, Zip Password, VBA Password
, OneNote Password, PowerPoint Password, WinPassword, PwlTool
Further reading: Dictionary download page

 

Smart Force Attack (developed by LastBit)

Smart Force Attack is the advanced Brute Force Attack. This method assumes that the password being recovered consists of letters only and this combination of letters is meaningful. Smart Force Attack is based on the statistical tables built by means of analyzing of a large amount of texts. Smart Force Attack can save your time because it doesn’t test meaningless combinations of letters. The effectiveness of Smart Force Attack can be compared to that of Dictionary Attack with a very large dictionary. Smart Force Attack will not find passwords that contain digits or other non-alpha characters. Also it doesn’t work with machine-generated “random” passwords. Moreover, there is a possibility that Smart Force Attack will not recover a meaningful password. Nevertheless, Smart Force Attack can check passwords up to 11 characters in length in a reasonable amount of time. Brute Force Attack is useless in such cases.

If you’re not afraid of formulas: the rough estimation of time required is ((C*X/26)^L) / S / N,  where C is the length of the characters et, X is the SmartForce level, L is the length of the password, S is the speed of recovery (the number of passwords processed per second) and N is the number of computers used for recovery.

Time Required: Very little in case of short passwords, absolutely unacceptable amount in case of long passwords but still much less than time required for Brute Force Attack.
What is Recovered? Original password
Guaranteed result? No
Requisites/Limitations The amount of time required is still the issue, though it is much less a problem than in case of Brute Force Attack.
Machine-generated passwords and passwords containing non-alpha characters cannot be recovered.
Passwords that can be recovered Any password
Pros Much faster than Brute Force Attack
Cons As in case of Brute Force Attack the amount of time required is large, certain experience and understanding of the process is required. Moreover, the success is not guaranteed.
International/Localization issues Current version can recover English passwords only.
Supported by the following LastBit software: Word Password, Excel Password, Zip Password, VBA Password,
OneNote Password, PowerPoint Password, PwlTool
Further reading: More information on Smart Force Attack

 

Known Plain Text Attack

This method can be used for recovering password protected ZIP-archives. It can be used only if the archive contains several files and at least one of them is available to the user. E.g. the archive contains several Word documents and the user has a copy of one of them unpacked, or the archive contains an executable and several DLLs and among them there are standard DLLs which can be found unencrypted.

Time Required: Several hours
What is Recovered: Unencrypted archive
Guaranteed Result? Yes (if this method is applicable)
Requisites/Limitations An unencrypted copy of one of the files is required.
Passwords that can be recovered Zip archive password
Pros Guaranteed result in an acceptable amount of time no matter how long the password is
Cons The password remains unknown.
International/Localization issues N/A
Supported by the following LastBit software:   Zip Password

 

Guaranteed Recovery (developed by LastBit)

Guaranteed Recovery was developed by LastBit Corp. in 1999. The unique feature of Guaranteed Recovery is the ability to recover any documents in an acceptable amount of time no matter how long the password is. LastBit Corp. was the first company to offer the solution for guaranteed recovery of password protected Word and Excel documents. The users of our password recovery tools are insured against failures and money losses.

In 2004 we developed an improved technology called Express Recovery (see below) that reduced the time required to 2 minutes.

Guaranteed Recovery can be used for Word and Excel documents protected with a password to open. Guaranteed Recovery doesn’t work with old versions of Word and Excel (through Office 95) or French versions of them. In this case it is not needed because the password can be recovered instantly. Guaranteed Recovery doesn’t work with documents protected using the Advanced Encryption feature available in Office XP and 2003. You can use Express Recovery to recover Office XP, 2003 documents only if they were saved in the default (Office 97/2000 compatible) encryption mode. If the document was saved in the advanced encryption mode, Guaranteed Recovery will not work. Unfortunately, in this case only traditional recovery methods can be applied such as Dictionary Search or Brute Force Attack.

If you’re curious: Guaranteed Recovery is the special sort of Brute Force Attack. Formerly in the USA there were serious legislative limitations on the exporting of strong encryption algorithms. Only encryption algorithms with key length up to 40 bit could be exported freely. That’s why Microsoft limited the strength of the Office encryption to 40 bit. Guaranteed Recovery performs a brute force attack on the internal 40 bit key instead of the original password. The 40 bit key length means that there are only 2^40 (about a trillion) possible combinations. It is possible to test them all in a reasonable amount of time. However this is a very calculation intensive task for a single computer so it is performed in our data center.

Guaranteed Recovery Peculiarities

Time Required: 24-36 hours
What is Recovered Unencrypted document
Guaranteed result? Yes (in case this method is applicable)
Requisites/Limitations None
Passwords that can be recovered: Word and Excel password to open
Pros Recovery takes an acceptable amount of time regardless of the password length. The method is simple. If the password is too long this is often the only method possible.
Cons The password remains unknown; if you have several documents to recover, each of them must be processed individually (even if they are encrypted with the same password), per document recovery fee.
International/Localization issues N/A
Supported by the following LastBit software: Word Password, Excel Password

 

Express Recovery (developed by LastBit)

Express Recovery is an improvement over Guaranteed Recovery. In fact from the point of view of the user the only difference is that Express Recovery requires only a minute to recover the document! Besides this, some Excel documents (about 3% of all documents) are impossible to recover using Express Recovery. In this case Guaranteed Recovery should be used instead.

Time Required: One minute
What is Recovered Unencrypted document
Guaranteed Result? Almost always yes (in case this method is applicable); Express Recovery is impossible for about 3% of documents, then Guaranteed Recovery should be used instead.
Requisites/Limitations None
Passwords that can be recovered Word and Excel password to open
Pros Works very fast regardless of the password length. The method is simple. If the password is too long this is often the only method possible.
Cons The password remains unknown; if you have several documents to recover, each of them must be processed individually (even if they are encrypted with the same password), per document recovery fee; fails sometimes.
International/Localization issues N/A
Supported by the following LastBit software:   Word Password, Excel Password
Further reading: more information on Express Recovery

 

Password Variation

Often the problem with the password is that it was typed incorrectly. The user can make a mistake or type the password with CAPS LOCK turned on. Moreover, the user often remembers the approximate appearance of the password but fails to recall it in detail. In this case we can take the approximate password and test every possible variant, such as case changes (password -> PASSWORD, Password, PAssword, pASSWORD  etc), omission of one of the characters, doubling characters, inserting or replacing the character with the neighboring characters and so on. Usually the number of combinations is not very large and it is possible to test them all in a little time.

Time Required: Depends on the variation depth, usually little
What is Recovered: Original password
Guaranteed result? No
Requisites/Limitations The user must know the approximate password
Passwords that can be recovered Any password
Pros Works rather fast even in case of long passwords
Cons Can’t be applied always (only in case the approximate password is known), the success is not guaranteed
International/Localization issues N/A
Supported by the following LastBit software: Password Variator, that can be used in combination with every program that supports Dictionary Attack
Further reading: Password Variator home page

 

Automatic Mode (developed by LastBit)

Automatic Mode is not an independent recovery method. We tried to make the recovery process easier and save users from the need to adjust a huge number of parameters. Automatic Mode consecutively uses Dictionary Attack, Brute Force Attack and Smart Force Attack with different settings. We tried to tune these settings in the best way possible. Automatic Mode is the best option for users who don’t want to go deeply into the peculiarities of password recovery and adjust all parameters manually.

 

[ LastBit Software Home Page ]   [ Help Index ]