WinPassword Online Documentation.

[ WinPassword Home Page ]   [ PasswordTools ]   [ Win 9x ]

Welcome to WinPassword

(c) LastBit Corp.
WinPassword home page: 


About WinPassword
WinPassword (formerly known as NT Password) is an application for NT / 2000 / XP / 2003 / Vista / 2008 / Windows 7 system administrators for finding breaches in system security. It tries to recover plain-text passwords by analyzing user password hashes. If it is possible to recover a password within reasonable time, the password should be considered insecure. Windows Password can also be used to recover lost passwords of particular users. Please note that this program is for advanced users and system administrators with good understanding of the NT security model


Main Features

Quick Technical Overview

Windows does not store user's password; it stores the hash instead. Due to historical reasons, Windows keeps two different types of hashes at the same time: NT hash and LANMAN hash. NT hash is the standard MD4 algorithm appied to user password. Using Unicode allows handling passwords in different languages. It makes difference between uppercase and lowercase letters. LANMAN hash is based upon the DES encryption algorithm. There are two specific features that strongly weaken the security of LANMAN hashes. First, they do not make difference between uppercase and lowercase letters; second - and most important - the password is limited by 14 characters; moreover, those 14 characters are split into two 7-character halves, which are encrypted independently from one another. This allows finding passwords for both parts individually and simultaneously. Besides, neither NT hash, nor LANMAN hash uses salt, and that allows cracking many passwords at once, belonging to different users (even on different computers), and with all that the search speed very little depends on their quantity. Windows could be configured in a way that LANMAN hashes would be disabled - that significantly improves the cryptographic strength and hardens the recovery of passwords. WinPassword supports the recovery with both known LANMAN hash and with just NT hash. In the standard case, when the both types of hashes are available, WinPassword uses the LANMAN hash to find the password and then additionally uses the NT hash to clarify which letters in the password are uppercase, and which ones are lowercase.


Operating speed and time necessary for finding passwords

Password search speed depends on many factors; first of all, on the CPU type and clock. RAM size affects search efficiency insignificantly. The speed can be raised significantly when utilizing GPU. The search speed on a computer with an Intel Core Quad CPU is approximately 26 millions of passwords per second for LANMAN hashes abd 35 millions per second for NT hashes. When using the GPU Nvidia GTX 295, the search speed for NT hashes reaches a billion (!) of passwords per second. When using Smart Rainbow Tables, the typical time for finding a password to a LANMAN hash is several minutes, regardless to the length and complexity of the password. More detailed information on the speed and time is available here.


WinPassword Introduction

The application's main window displays the user list; each item on the list consists of login (user name), password (if found), LANMAN hash, NT hash and optional remark. Normally both LANMAN and NT hashes are present, but it is also possible to have only a LANMAN or NT hash available. WinPassword saves all this information (along with current recovery state) in a task file (.WinPsw file type). Use the standard File | Save or File | Save As menu command to save the task file. If the recovery process is started, current recovery state, as well as found passwords, are stored in the task file too. You can open the task file later and resume the password recovery.

An icon to the left of a login name denotes:

The password is 7 characters or less
The password is more than 7 characters
First 7 characters of the password found*
Second 7 characters of the password found*
Password has NT hash only
The password is not set (empty password)
Password found successfully


* Remember that Windows security system breaks the password in two 7-character parts and encrypts each part individually. This allows finding passwords for both parts individually and simultaneously.  Therefore, it may happen that one part of the password is decrypted, while the other one isn't. In this case, the known part of the password will be displayed, and question marks will be displayed instead of the unknown one.



Main Operations
First of all, you need to obtain the password hashes. Unfortunately there is no straightforward way to do this. The following methods are available:

Note that you can import multiple files into a single project. A single WinPassword project can contain a lot of hashes and recover all them simultaneously.

You can save and then Open a saved WinPassword task (.WinPsw files). This lets you pause the password search process and then resume it.


Once you have got the password hashes to be recovered, use the Audit | Start Recovery menu command to start the recovery process. WinPassword supports three recovery approaches:

We recommend you to read our article Password Recovery Using Universal  Recovery Methods that describes how to use Brute-Force Attack and Dictionary Search. Note that a dictionary is required for the Dictionary Attack. We did not include any dictionaries into the package. If you need one, you can download various dictionaries from  (free of charge).

Autosave is now available. Windows Password will automatically save the project every ten minutes when autosave is enable. Thus, you can pause the recovery process and then resume it later. WinPassword utilizes all resources  


Smart Rainbow Tables

Smart Rainbow Table Recovery is a technique that allows recovering long and complex passwords quickly by using special precomputed tables (so-called Rainbow tables). Currently, Smart Rainbow Tables are available for the recovery of LANMAN hashes only. The support for NT hashes is coming up in the next version. With Smart Rainbow Tables, you can recover arbitrary password within a few minutes. Find more information here.


Cloud Password Recovery

You can rent additional computing power to recover long and complex passwords. Cloud Password Recovery is for NT hashes only. If a LANMAN hash is available, you can recover the password within a reasonable time span using the regular recovery methods or Smart Rainbow Tables. Find more information on the Cloud Password Recovery service here.


Reset Login Password
You can use WinPassword to reset a password and replace it with a known one. Find more information here.


GPU-accelerated Password Recovery

You can utilize the computing power of modern GPUs to significantly raise the operating speed. Depending on the GPU, the speed can raise by tens of times. The current version of the software supports GPU Accelerated Password Recovery only for NT hashes. Find more information here.


Distributed Password Recovery

Distributed Password Recovery allows using multiple computers for speeding up the recovery process. That is especially current for NT hashes. We have implemented the support for distributed password recovery for LANMAN hashes too; however, please keep in mind that with Smart Rainbow Tables within just a few minutes you can recover literally any password by its LANMAN hash, utilizing the resources of just a single computer.

Distributed Password Recovery for LANMAN hashes

You can utilize multiple (up to 8) computers as follows.

  1. You need to purchase the required number of WinPassword Pro licenses (the Standard version does not support distributed password recovery) and install it on each of the computers.

  2. Then prepare the task file and copy it to each of the computers.

  3. On each of the computers, launch WinPassword and then open the task file.

  4. Make sure to have specified identical password recovery parameters on each computer.  In the field "Number of computers", enter the total number of computers (same on each computer), and in the field "This computer index" on the first computer enter 1, on the second one - 2, and so on - enumerate all the computers.

  5. Start the password recovery, and each computer will compute its portion of the task. The required password can be found on any computer.

Distributed Password Recovery for NT hashes

Distributed password recovery for NT hashes can be done with OctoPASS. OctoPASS allows creating very large networks (thousands and even tens of thousands of computers. Further information on OctoPASS is available here.


Miscellaneous Operations


Pro and Standard versions

There are two different WinPassword editions available: Standard and Pro. Please refer to the table below to find out the difference.

  Maximum number of logins in a single task file Smart Rainbow Table Recovery Reset Password to a Known One Distributed Password Recovery (LANMAN hashes) Distributed Password Recovery (NT hashes) GPU Accelerated Password Recovery
Standard Version  5 (i.e. you cannot recover more than 5 passwords at once) NO NO NO YES* NO
Pro Version  32,000 (technical limit) YES YES YES YES* YES


* - OctoPASS is required for distributed password recovery of NT hashes. This is a standalone product and must be licensed separately. Please refer to this web page for further information.


Demo version limitation:
The unregistered DEMO versions display only the first two characters of the found password.

To order the fully-functional version, please visit