Tag Archives | password cracking

How to recover forgotten Truecrypt passwords

/ 22 June, 2011 / Encryption Software / Permalink

Truecrypt brute force attack

Unprotected.info is a free brute force program custom designed to attack encrypted Truecrypt containers, it works with Truecrypt6.0 and above, there is no support for external encrypted devices and full disk encryption, another limitation is that containers encrypted using a keyfile or a cascade algorithm, ie. AES-Serpent, are not supported either.

Truecrypt default settings use AES for encryption, without cascade mode, it is highly likely that the encrypted container will have been encrypted using it, if the user is a newbie who does not understand the consequences of using a cascade algorithm and does not bother reading the manual (most people don’t), he will not have risked changing the default Truecrypt settings.

Unprotected.info Truecrypt password recovery

Unprotected.info Truecrypt password recovery

Unlike other hard to use brute force software like John the Ripper, Unprotected.info makes it easy for the home user to have a go at cracking a Truecrypt container, the program has a series of checkboxes where you can choose the password length to try in between two values and further details like if the password contains lowercase, uppercase, punctuation characters, special characters and numbers. The more you can remember about your forgotten password the quicker an easier it will be to crack the Truecrypt container.

There is a detailed progress bar reading how many passwords have been tried, the remaining passwords left to be tried and the estimated time to finish. How long it will take to recover your Truecrypt password will depend on the characters settings and password length you have chosen and on how powerful your computer processor is.

Visit Unprotected.info homepage

0 Comments

How to crack a .zip or .rar password protected file?

/ 10 October, 2010 / Computer Security / Permalink

How secure is Winzip and Winrar encryption?

Both programs WinZip and WinRar use AES (Advanced Encryption Standard) for encryption, when implemented correctly and in conjunction with a long alphanumerical hard to guess passphrase, the AES cipher is impossible to crack in a reasonable amount of time, that means in your lifetime.

State sponsored agencies are also not able to crack a password protected Zip or Rar file if this has been encrypted with a hard to guess pass, the law of mathematics just like the law of physics, is equal for everyone.

Recovering a password protected .zip or .rar file

The only known method to recover a forgotten password from a password protected .zip or .rar file created using the latest WinZip and WinRar versions, is to use a brute force attack. In a brute force attack an automated software will use up all of the dictionary words and run all of them attempting to match the file password.

Knowing if special characters and numbers were used in the passphrase, as well as knowing the length of the password, is very helpful while setting up the program to launch a brute force attack against the encrypted .zip or .rar file.Cracking a .zip file protected with encryption can take minutes, months or a hundred years, depending on processing power and how hard to guess the password is.

Services to crack encrypted .zip files

WPACracker:  More well known for cracking WPA keys using their computer cluster, WPACracker also offers brute force dictionary attacks in English and German against password protected .zip files, while you could do this yourself in your computer WPACracker will give you access to a 400 CPU cluster which speeds up the process.

PWCrack: This password cracking service covers .zip encrypted files and PKZip files. Normally they will test a dictionary attack and brute force passwords up to 7 characters long.Password Crackers Inc. also offers services to crack many more different kind of encrypted files.

ElComSoft distributed password recovery

ElComSoft distributed password recovery

Software to crack password protected .zip files

Advanced Archive Password Recovery: This commercial software from ElComSoft helps you crack .zip and .rar encrypted files. They claim cracking archives created with WinZip 8.0 and earlier is possible in under one hour by exploiting an implementation flaw. For.zip or .rar files encrypted using the AES algorithm a brute force attack will be launched.

Passware Kit Enterprise: This a professional solution and not targeted to end users. Password Kit Enterprise supports cracking of multiple different files, from encrypted .zip and .rar up to launching brute force attcks on fully encrypted disks using TrueCrypt. Passware Kit EnterPrice can use multiple core CPUs and nVidia GPUs to speed up the dictionary attacks.

LastBit: This company makes a full range of password recovery software to help you bring back forgotten passwords on ICQ, Skype, Firefox, PDF, PowerPoint, Zip and many more applications. Various Lastbit products support rainbow tables which considerably speeds up dictionary attacks.

Zip Password Tool: An easy to use password recovery tool that works launching dictionary attacks on encrypted ZIP compatible software. It supports AES file encryption cracking and you can customize the brute force attack with special characters and national symbols, there is also a password recovery progress bar.

Zip Password Tool cracking .zip password

Zip Password Tool cracking .zip password

Tips to help you recover passwords from encrypted files

The following information will be of great use when launching a brute force or dictionary attack against any kind of password protected file or disk.

Find all the other passwords you can from the PC, notes around the computer and things someone might have saved in their web browsers and the Windows password, many people use the same or similar passwords everywhere.

By collecting all of the user passwords you will be able to observe a password pattern, like how many characters are normally used to create a password, names of cities, pets or family members being used, capitalizing of the first letter, etc, you can then customize your cracking software and set it up to use the same password pattern that the user normally adopts.

WinZip does not hide the encrypted filenames, you should be able to list them, unless they packed an archive inside an archive, that might give you a clue about the contents and whether it is worth to try and crack it or not. Notice that WinRar however, has an option where the user can encrypt the filenames, although this is not active by default and a checkbox needs to be ticked.

Cracking Zip file encryption from versions earlier than WinZip9.0 is easy and there is no need for a brute force attack as there was an implementation flaw in the encryption. Since WinZip version 9 and above .zip files are protected using 128 or 256 bit AES and with a sufficiently complicated password finding it out will be impossible.

Dictionary attacks for a long password with characters outside of 0-9 and A-Z are very slow, when you plan a dictionary attack on an encrypted .zip or .rar file, limit the yourself to alphanumerics unless you are certain a special character was used to create the password.

Another approach is to scan the disk for all words and then try them in different upper and low case combinations against the encrypted file.

Conclusion about security of encrypted .zip and .rar files

The latest versions of WinZip and WinRar both use AES128 or 256 bit for encryption, this cipher is a security standard and safe from cracking as long as the password is sufficiently long and contains upper and lowercase letters, special characters and numbers.

The weakest link in .zip and .rar encrypted passwords is you, avoid reusing your passwords anywhere else and writing them down, with the exception maybe being a password manager you trust.

Make sure that you only encrypt .zip and .rar files with WinZip9.0 and above and Winrar3.0 and above as earlier versions have some vulnerability.

There are many companies out there promising to crack files encrypted with WinZip and WinRar, and they all rely on the same, either you using an old version of the file compression software, or you choosing a weak and easy to guess password, as long as you cover those two vulnerabilities, you are safe using WinZip or WinRar for encryption, my first choice would be WinRar since WinZip does not support file name encryption.

0 Comments

How long should my password be? Minimum password length suggested

/ 23 August, 2010 / Computer Security / Permalink

We should start talking about passphrases and not passwords, according to one Georgia Institute of Technology study any a password shorter of 12 characters is vulnerable to attack, the length of your password, as well as quality, like using a combination of alphanumeric characters, does matter a lot when it comes to computer security.

A standard English keyboard has 95 letters and symbols and you should be taking advatadge of them to write full sentences as your password. Knowledge about a user may suggest possible passwords (such as pet names, children’s names, etc), hence estimates of password strength must also take into account resistance to this attack as well.

Password box

Password box

The ideal password length is 12 characters

The Georgia Tech Research Institure study on brute forcing passwords suggests a 12 characters password length in order to strike the right balance between convenience and security. Assuming a hacker can try 1 trillion password combinations a second, it would take him 180 years to crack an 11 character pass, this number would increase to17,134 years to crack a 12 character password.

How to create a strong password?

  • Include numbers, symbols, upper and lowercase letters in passwords.
  • Avoid any password based on repetition, dictionary words, letter or number sequences.
  • Use capital and lower-case letters.
  • Password must be easy to remember for and not force insecure actions like writing it down on notes.

According to one of the study authors if an attacker wants to crack many passwords quickly, once he’s built a rainbow table it might then only take about 10 minutes per password rather than several days. A rainbow table encodes the hashes of the most common passwords and uses that database to quickly run it against your hidden password.

Solutions to create secure passwords

Instructions to create the best random password possible: Diceware

Store your passwords encrypted online: LastPass

Free secure password manager for desktop computer: KeePass

0 Comments