Home Contact
russian version english version


Home
Software
Password Recovery Catalog
News
Services
Password Recovery / Decryption
Info
Password Recovery FAQ
What Is a Password cracker?
Weakness of Cryptosystems
Links
About
Submit new software
Feedback
E-mail
View Guestbook
Benchmarks
Test configuration

Authors:
login
register
 
Fastest, tested, mostly free password recovery software with benchmarks and review
Password Recovery (Cracking) FAQ
Parallel Password Recovery

Password Recovery/Cracking FAQ

(c) Pavel Semjanov, 1999-2000, 2006

v. 0.99


I. Main info

  • 1.1. Where can I get the latest version of this FAQ?
  • 1.2. What is a "password cracker"?
  • 1.3. Why is it possible to crack somebody's password?
  • 1.4. What are the main cracking methods?
  • 1.5. What should I do to make my passwords uncrackable?

II. Some theory

  • 2.1. What is the difference between password, key and hash?
  • 2.2. How difficult is it to crack keys of different length?
  • 2.3. How can I estimate time needed to use brute-force for passwords of a certain length?

III. Application passwords

3.1. Archives passwords

  • 3.1.1. Is it possible to crack (ARJ, ZIP, RAR etc) password instantly?
  • 2.1.2. How to recover ZIP passwords?
  • 2.1.3. How to recover RAR passwords?
  • 2.1.4. How to recover ARJ passwords?
  • 2.1.6. How can I recover self-extracting archives passwords?

3.2. Microsoft Office passwords

  • 3.2.1. Is it possible to crack Office 95 passwords?
  • 3.2.2. Is it possible to recover Office 97/2000 passwords?
  • 3.2.3. What is the best way to decrypt Word/Excel 97/2000 file with password for opening?
  • 3.2.4. Is it possible to recover Office XP/2003 passwords?
  • 3.2.5. What is the best way to crack Word/Excel XP/2003 file with password for opening?

3.3. Other Office

  • 3.3.1. What about PDF documents protection?

IV. Operational systems passwords

4.1. Windows Passwords

  • 4.1.1. How can I log into a Windows NT/2000/XP/2003 computer without knowing the administrator's password?
  • 4.1.2. How can I bypass the administrator's password in the NT/2000/XP/2003 domain?
  • 4.1.3. How can I crack a password in Windows 95/98/Me?
  • 4.1.4. How can I crack a password for Windows shared resources?
  • 4.1.5. I don't have access to the computer. Is it still possible to crack the administrator's password?

4.2. UNIX/Linux, Novell Netware etc passwords

  • 4.2.1. How can I log into a Linux computer without knowing the root password?
  • 4.2.2. What is the encryption-system used in Novell Netware and is it possible to crack it?

V. Internet passwords

  • 5.1. Can I get dial-up passwords?
  • 5.2. Can I decrypt ICQ, POP3, FTP, Telnet password in ... application?
  • 5.3. How can I crack password for e-mail, www-server etc?

VI. Strong and weak encryption software

  • 6.1. What archivers provide the best encryption?
  • 6.2. What are strong file/disk encryption tools?
  • 6.3. What tools are known to be not strong?
  • 6.4. What cryptographic systems or applications have backdoors?

VII. Password recovery software

  • 7.1. Where can I get the above password recovery? Where can I get the password recovery for ...?
  • 7.2. The password recovery I have found is shareware/commercial. How to crack it?
  • 7.3. I can't find the necessary cracker. What could I do?
  • 7.4. Is there any software that will help me to write my own cracker?
  • 7.5. What is the best (fastest) cracker for ...?

VIII. Law

  • 8.1. Is password recovery legal?

I. Main info

1.1. Where can I get the latest version of this FAQ?

The main URL is http://password-crackers.com/pwdcrackfaq.html.

1.2. What is a "password cracker"?

Password cracker is any program which can decrypt passwords or otherwise disable password protection (e.g. decrypt file without knowing the password). If mechanisms of password protection use weak encryption, than it is possible to recover the original password or pick a new one, considered to be correct. Otherwise, password crackers can use brute force method trying words after word, often at high speeds.

1.3. Why is it possible to crack somebody's password?

There are many reasons that make it possible to crack some passwords. These reasons include human factors such as short or easily-guessing passwords, usage of weak (proprietary) algorithms, export restrictions that prohibit usage of strong cryptography, incorrect usage of strong algorithms, some implementation flaws including backdoors, bugs etc. It's described in details in the article "On cryptosystems untrustworthiness".

1.4. What are the main cracking methods?

These methods are based on vulnerabilities existing in cryptoalgorithms and their implementation.

In case of absolutely weak algorithm or terrible flaws in implementation it may be "one byte patching" method - then simply changing one byte in the program will result in correct decrypting without right password. It is surprising fact that such programs still exist.

Weak algorithms or incorrect usage of strong ones allow using other simple methods of password recovery. They vary in specific applications but the main idea is substantial reducing of possible passwords on the basis of additional information.

In case of secure algorithms (when attacker can only generate passwords and check them) two main methods exist - brute force attack and dictionary attack. Brute force attack is used when there is no additional information on password and attacker simply tries all possible passwords - one-characters, two-characters etc. To resist this attack the cryptosystem should encourage long mixed-characters password and should have long password setup time that significantly decreases brute force speed.

If cracker knows that the password is a certain word he may use dictionary attack. Then only words from dictionary are tested as password candidates. The dictionary contains less than 100.000 words so they can be tested very quickly - in most cases in a few seconds.

The combination of two attacks mentioned above is known as "syllable attack". It may be used when password is deformed or unexisting word is used, and the cracker can combine the syllables to get such a word.

The most powerful attack is "rule-based attack". It can be used in any case when cracker obtains some information about the password he wants to crack. For example, he knows that password consists of the word and one- or two-digit number. He writes the rule and the program generates only suitable passwords (user1, mind67, snapshot99 etc). Another example - he knows that the first letter is in upper case, the second is a vowel and the password length is not greater than 6. This information can decrease the number of possible passwords in 20-30 times. This method includes all - brute force, dictionary and syllable attacks.

Finally, some weak algorithms allow "known-plaintext attack". It means that the cracker has some files or file fragments in un-encrypted form and wants to decrypt others. Strong cryptoalgorithms successfully resist this type of attack - the knowledge of un-encrypted file will give nothing to cracker.

1.5. What should I do to make my passwords uncrackable?

First, choose the software that uses strong cryptography and implements it correctly (see 5.2). Then always choose the passwords that are non-words, contain mixed-case letters and digits, and have reasonable lengths (not less than 6 symbols). The best way is to use randomly generated password (if you can remember it). If you can't then it is better not to write the password down on your desktop but choose more convenient one (for example, it could contain the first letters of you favorite phrase - if cracker doesn't know this phrase!). You should not use the same password in different systems or for different internet sites.

II. Some theory

2.1. What is the difference between password, key and hash?

These terms, which are entirely different in cryptography, are often mixed up. Password - is that very word, word combination or meaningless character set which we enter answering some programs' request. However, these programs do not use passwords for encryption, they just get keys from them. Encryption keys are bit strings (0 or 1) of different length, 40, 64 and 128-bit keys are most widely used. So, to decrypt anything you need to know either password or the key itself.

To get a key from a password the hashing operation is often used. Hashing is a rather complicated cryptographic function, which is getting a string of any length at the input and generating a bit-string of fixed length (hash) at the output. It has to main characteristics: even a minor modifying of the input string leads to complete change of the output hash value; and it's practically impossible to find the input string knowing the hash value.

2.2. How difficult is it to crack keys of different length?

The longer is the key, the more difficult it is to crack it. For example, a 40-bit key can be easily cracked within a couple of days by anyone of us using brute-force on a modern home computer. But to crack a 64-bit key you need to join powers of many computers in the internet, and all the process will take some months. And as for 129-bit keys, no one can crack them at all: neither all the computers in the world working all at once, nor Microsoft or FSB (provided that they don't have new secret technologies, which are unfamiliar to public science).

2.3. How can I estimate how much it will take me to use brute-force for passwords of a certain length?

Quite simply. Try to gauge how many different symbols could have been used in making the password (if you take only lower-case latin letters - then 26, if digits, too - then 36 - see the table below), raise it to the power of the password length - and you will get the number of all possible variants for brute-force. Then you should divide this number by the brute-force rate. To find this rate you can run the cracker with some test file. If you use n computers, this number should by also divided by n.
character set number of symbols in the set 3-symbol passwords 6-symbol passwords 8-symbol-passwords 12-symbol passwords
quantity time quantity time quantity time quantity time
lower-case latin letters 26 17.576 0.02 sec 308.915.776 5 min 208.827.064.576 58 hrs 95.428.956.661.682.176 3000 years
lower case latin letters and digits 36 46.656 0,04 sec 2.176.782.336 36 min 2.821.109.907.456 32 days 4.738.381.338.321.616.896 150.000 years
lower- and upper-case latin letters and digits 62 238.328 0.2 sec 56.800.235.584 15 hrs 2.183.40.105.584.896 7 years 3.226.266.762.397.899.821.056 100 million years
lower- and upper-case latin letters, digits and special symbols 94 830.584 1 sec 689.869.781.056 8 days 6.095.689.385.410.816 193 years 475.920.314.814.253.376.475.136 more than the Earth exists
Table. Quantity and time for brute-force on one computer with the rate about 1 million passwords per second.

III. Application passwords

3.1. Archives passwords.

3.1.1. Is it possible to crack ARJ, ZIP, RAR etc password instantly?

No. The archive password is not stored anywhere in the archive, so you can't extract it or patch the archiver program to cancel requesting password. Archivers usually encrypt already compressed files (but not compress encrypted ones) and save their checksum (CRC). Being uncompressed, this file is decrypted and its check sum is verified.

3.1.2. How to recover ZIP passwords?

Zip-archivers (pkzip, WinZip versions up to 8.0) use their own encryption algorithm which is not strong. This causes two practical vulnerabilities. Firstly, it's always possible to implement a plain-text attack (one unencrypted file from the archive needed). Secondly, if the archive was created with WinZip (up to 8.0 version only) or Infozip and contains 5 or more files, then it is possible to decrypt the archive with guarantee regardless of password length and complexity. Both attacks take just couple of hours on the modern computer. In the latest WinZip versions there is an option that allows using strong AES algorithm. In this case the said attacks are unapplicable and only brute-force can be used. Modern ZIP password crackers should support all these attacks.

3.1.3. How to recover RAR passwords?

RAR/WinRAR archiver version 2.x used its proprietary, but rather strong encryption algorithm. At least no RAR 2.0 attacks were known except brute force.

Starting from version 3.0, RAR has been using a strong AES algorithm, which doesn't allow any attacks more effective than the brute force. Besides, the encryption is implemented so that brute force speed on modern computer is very low, about 100 passwords per second. This carries inference that RAR 3.x system is the strongest between popular encryption systems in the context of brute force. This means you couldn't recover RAR password longer than 6-7 symbols if you have no information about the password.

3.1.4. How to recover ARJ passwords?

ARJ archiver uses a very weak encryption algorithm: it just XORs the password with the compressed file. That's why in case you have only one unencrypted file from the archive, then the password for this archive can be found instantly. ARJ encryption system has some other weaknesses. For example, one can find first 3 characters of password without using the exhaustive search, and the password testing is very fast, resulting in passwords up to 12-14 characters can be cracked.

3.1.5.Is it possible to crack archives if there are any un-encrypted (or un-compressed) files?

It's called known-plaintext attack (see 1.4). The result depends on archive used. Look at the table:
ARJ Yes, passwords of any length, instantly. You need to know so many bytes of compressed file as equal to password length.
ZIP Yes (if no AES encryption used), passwords of any length, you need to know at least 13 bytes of compressed file. May take some hours on modern PC.
RAR 1.5 Yes, passwords of any length, you need to know 3-4 bytes of compressed file. Then you need to do 232-240 operations, which may take some hours or days.
RAR 2.x-3.x No
Your favorite archiver Please give me an info

Note that all these methods demand the knowledge of compressed file. It means that if you have uncompressed file, it must be compressed exactly as original encrypted file (the same archiver version, same options etc).

3.1.6. How can I recover self-extracting archives passwords?

Some programs understand self-extracting archives. If your program does not, just remove self-extracting header and you will get the normal archive. To do this you need to read technical description of archive format, find the signature archive begins with and remove all bytes lying between the beginning of file and this signature. You could also find this signature by looking at first bytes of normal archive.

3.2. Microsoft Office passwords

3.2.1. Is it possible to crack Office 95 passwords?

Absolutely. Passwords of any length can be cracked instantly.

3.2.2. Is it possible to recover Office 97/2000 passwords?

The fact is that Office 97 encryption (and the same used in Office 2000) is much stronger than Office 95. But,
  1. Access 97  / Outlook 97 passwords can be cracked instantly
  2. French version of Office 97 doesn't provide strong encryption and corresponding passwords can be recovered without brute-force methods.
  3. Word/Excel read-only passwords, Excel workbook & individual sheets protection, Word document password, VBA passwords are also not secure and can be recovered instantly.
  4. Only password for opening in Word/Excel is strong enough. But because of US export regulations Office 97 uses 40-bit key. So encrypted files can be decrypted without password knowledge if you find this key.

3.2.3. What is the best way to decrypt Word/Excel 97/2000 file with password for opening?

These programs use a 40-bit key for encryption regardless the password length. That's way you need to check 240 keys for guaranteed decryption of a document. This will take you about a week on a modern computer. In case you have a multiprocessor/multicore computer or a local network, then you can perform this process effectively in parallel on your computers.

It is possible to speed up this method even more by using huge precomputed tables, then the needed key can be found in few seconds. There are some products and service, offering instant decryption of Word/Excel 97/2000 files.

2.2.4. Is it possible to recover Office XP/2003 passwords?

Most of passwords for this office are cracked instantly, except passwords for opening, which can be up to 128-bit long nowadays.

2.2.5. What is the best way to crack Word/Excel XP/2003 file with password for opening?

At last it appeared to fit adequately the modern abilities of crackers - it uses 128-bit encryption, which allows to apply brute-force only. But as far as encryption for Office 97/2000 is used by default, it can be decrypted with guarantee (see q. 3.2.3).

3.3. Other Office

3.3.1 What about PDF documents protection?

PDF security consists of 2 different passwords - a so-called 'user' password and 'owner' password. The first one can protect the document from opening, the second one can place restrictions to the document, for example print disabling. Used cryptoalgorithms were being improved with PDF developing - up to version 1.4 only 40-bit keys have been used, then the 128-bit ones came, and starting from version 1.6, AES encryption is being added.

However, PDF security system is implemented so that a file with restrictions may be decrypted instantly, irrespective of the password length, even for 128-bit keys. A document with password for opening, using 40-bit key, can be decrypted on a modern computer within a week by using guaranteed decryption, like Office 97/2000 (see q. 3.2.3). To open a document with 128-bit key, only brute force can be used.

IV. Operational systems passwords

4.1. Windows Passwords

4.1.1. How can I log into a Windows NT/2000/XP/2003 computer without knowing the administrator's password?

Windows NT passwords, including the administrator's password are stored as hash (see q. 2.1)in the special file SAM in %WINDIR%/system32/config directory. It follows that there are to simple cracking methods: firstly, you may try to get this hash-value out of there and recover the administrator's password using brute-force, secondly, you can just change this value so that it would correspond with some simple password, eg. "aaa". You cannot read nor change this file directly, as it is protected by Windows. But we can reach it using one of the following methods:
  • move the HDD to another computer and then get physical access to the file. It's not so easy.
  • move the HDD to another computer with the same Windows OS and get access to the file.
  • load another OS on this computer (eg. Linux) and get access to the file.

Attention: if you change the administrator's password, you will not be able to get access to files encrypted with EFS. If you need them, you can only try to recover the correct administrator's password.

4.1.2. How can I bypass the administrator's password in the NT/2000/XP/2003 domain?

There are 2 links on this problem:

Reset Domain Admin Password in Windows 2000 AD

Reset Domain Admin Password in Windows Server 2003 AD

4.1.3. How can I crack a password in Windows 95/98/Me?

Firstly, if the computer is not connected to network, you can simply push the "Cancel"-button while logging in. If this doesn't work, then you should crack passwords in .PWL-files using special programs,

4.1.4. How can I crack a password for Windows shared resources?

In case of using Windows 95/98/Me there was vulnerability that allowed to crack passwords of any length "letter by letter".

4.1.5. I don't have access to the computer. Is it still possible to crack the administrator's password?

You can hijack the remote login session and then perform the brute-force searching for the hash (or password). Modern Windows OS has the mechanism preventing this. Sometimes you are able to get access to the remote machine's registry.

4.2. UNIX/Linux, Novell Netware etc passwords

4.2.1. How can I log into a Linux computer without knowing the root password?

In fact, UNIXes store their passwords (hashes) in special files on a disk, it's location depends on OS version. It used to be the file /etc/passwd. That's why theoretically you can use the same methods for UNIX (see 4.1.1).

There is a simplier method - it's often possible to load UNIX in single-user mode. Read the documentation for your UNIX-version to learn how to do it.

4.2. What is the encryption system used in Novell Netware and is it possible to crack it?

Here there is much information on Novell Netware passwords.

V. Internet passwords

5.1. Can I get dial-up passwords?

Yes, regardless the OS being used. Most of providers require plain text password. It means that if you save it on your computer, it is encoded weakly so that to be in plain form when being sent to the server. Therefore it can be decoded.

5.2. Can I decrypt ICQ, POP3, FTP, Telnet password in ... application?

Yes. The same reason (see 5.1). All these services in standard configuration require plain password from client. Any client must keep it in plain or encrypted (not hashed) form. It is also possible to run the server emulator which will receive decrypted passwords from clients. In this case there is no need to examine the client's encryption algorithm - it will work for any program.

5.3. How can I crack password for e-mail, www-server etc?

If you forget your e-mail password, you should contact its support service. Remote cracking of other's password is illegal.

VI. Strong and weak encryption software

6.1. What archivers provide the best encryption?

Among three most popular archivers - ARJ, ZIP and RAR - the RAR 3.x provides the strongest encryption, because it implements the standard and strong AES algoritm, has the slowest brute-force rate. But the possible weakness of RAR is that the program sources is not public domain. The implementation has never been tested by professional cryptographers.

Among the archivers using strong algorithms and with available source codes the 7-Zip archiver can be marked out, but it is not known for sure whether it has ever been analised cryptographically.

6.2. What are strong file/disk encryption tools?

Strong file encryption tool is the one that has been used for years, its source code is available, it uses strong algorithms and implements them correctly, moreover, this implementation should have been tested by several independent cryptography experts. So PGP certainly is strong file encryption tool.

(Add more ...)

6.3. What tools are known to be not strong?

The tool has a big probability to be not strong if it has one or more "Snake Oil Warning Signs". You should also read the Bruce Schneier's Crypto-GRAM from February 15, 1999. It is even worse when it has no such signs but still it is not strong. It is impossible to distinguish a really good program from the other that only seems to be one, judging only by it's appearance, documentation, supported functions or authors' names. Here is incomplete list of programs known to be not strong:
  • Norton Secret Stuff v 1.0
  • Crypt-O-Text v. 1.21-1.24
  • WinXFiles (up to v. 3.5)
  • Icon Lock-It
  • Encrypt-It for Windows
  • UnBreakable Encryption (UBE) 98
  • File Locker 1.11
  • Package for the Web v. 1.x-3.x
  • MasterKey
The crackers of the above products exist

(Add more...)

6.4. What cryptographic systems or applications have backdoors?

The most known are Paradox database and AWARD BIOS.

VII. Password recovery software

7.1. Where can I get the above password recovery? Where can I get the password recovery for ...?

Sites with free software: Sites with commercial password recovery software/services:

7.2. The password recovery I have found is shareware/commercial. How to crack it?

Program cracking is illegal in most countries. You are reading the wrong FAQ.

7.3. I can't find the necessary cracker. What could I do?

You could try to address one of commercial companies listed above. Note that writing such a cracker may take a long time. It may take much time to crack the password. It may be expensive for you. It may be not possible at all.

7.4. Is there any software that will help me to write my own cracker?

Yes. For example, the library that allows you to write the password cracker with built-in "rule-based attack" (see 1.4) is Password Cracking Library. It's free for non-commercial use, portable and written on C.

7.5. What is the best (fastest) cracker for ...?

The best cracker is the one that will find your password. To make it possible the password cracker should support different attack types and be as fast as possible. The benchmarks and features of different crackers can be found at Russian Password Crackers site.

VIII. Law

8.1. Is password recovery legal?

It is human to forget ones passwords. But one has full authority to get access to his own information, even if he has forgotten his password. That is the reason to use password-crackers. It needs no saying that cracking other people's passwords is illegal.
Users' comments:

User haseeb wrote about ver. 2009-12-01

I wanna download this
My rating:5

User SHAHZAD9263@YAHOO.COM wrote about ver. 2009-11-04

VERY GUUD FAQ,BUT SOMETHING IS MISSING?

User shad4data wrote about ver. 2009-07-27

i want to regin my password

User nithesh wrote about ver. 2009-06-03

very bad site
My rating:1

User reza in iran wrote about ver. 2009-04-16

very good
My rating:5

User Sway88 wrote about ver. 2008-02-08

Very good FAQ. Shame people abuse it by trying to find info on hacking a friends account. If you read, it DOES tell you this is illegal. You really think they're gonna publish that info? Go figure it out.
My rating:4

User bangladesh wrote about ver. 2007-10-03

very useful website.
My rating:1

User Peter Searle wrote about ver. 2007-07-31

Extremely informative. Information provided which would take many searches to find (if at all)
My rating:5

User hallvell@yahoo.com wrote about ver. 2007-07-19

good topic...plz send me a winrar password vracking software to hallvell@yahoo.com
My rating:5

User stephenylenwis@yahoo.cm wrote about ver. 2007-07-15

i need a cracker to crack a person mail adress, they change my password and it was very glommy to me, i need some that can help me o that how to crack mail adress, here is my id stephenylenwis@yahoo.com

page: [1] [2] [3] [4] [5]
Submit your opinion/rating about article:
Please be constructive and use English language
From:
Your rating:
Comments:
Enter the code (5 digits): code
Copyright © 1998 - 2014 Pavel Semjanov.
Download Site Webmaster: webmaster at password-crackers.com