Recovering a password can be a complicated process. Think of encryption like a Sodoku puzzle. The larger and more complicated the puzzle, the harder it is to defeat an encryption scheme. There are two ways to go about trying, though.

In the first, hackers typically try to look for some sort of overall pattern. You can divide this further into different classes of attacks, some of which you may have heard of in the news, such as a side-channel attack. These methods are complex, and out of the reach for the everyday computer user. Only a select group of people have the skill set and drive to do that sort of work.

A much more primitive approach to defeating encryption is simple "guessing and checking." This is known as a brute-force attack. Think of this as generating every single combination of numbers that can be used to solve that same Sodoku puzzle, starting from an all ones all the way through all nines. There are ways to hide the "checking" part of the process to make the attack more complicated. But simple programs like WinZip and WinRAR don't have that luxury. If you are persistent, you can keep guessing passwords until hell freezes over. There is no limit on the number of guesses you get. So, the real problem in recovering a password is the speed at which you can guess the right answer.

Manually checking passwords is probably a foolish endeavor at best, especially if you're dealing with a long password. This is where password recovery tools come into play. They automate the process of guessing passwords.

Available Characters Using The English Language | Possible Passwords Two Characters | Possible Passwords Four Characters | Possible Passwords Six Characters |
---|---|---|---|

Lower-case | 676 | 456 976 | 308 915 776 |

Lower- and Upper-case | 2704 | 7 311 616 | 19 770 609 664 |

Lower-case, Upper-case, and Numbers | 3844 | 14 776 336 | 56 800 235 584 |

All ASCII Characters | 8836 | 78 074 896 | 689 869 781 056 |

Brute-force attacks rely on probability. The longer the password, the more passwords there are to check. This relies on the notion of permutations, which are the arrangement of objects in a particular order. So think of passwords as anagrams. If I gave you the letters a, b, and c, how many different ordered arrangements could you make? With only three letters, you can create a set of six permutations of the set {a,b,c}, namely [a,b,c], [a,c,b], [b,a,c], [b,c,a], [c,a,b], and [c,b,a].

Calculating the number of possible passwords is simple. Repetitions are allowed, so the formula is n^{(password length)}, where n is the number of possible characters. As you can see, at six characters, we're already in the billions if you include lower- and upper-case letters. If you also include special characters and numbers (all ASCII characters), you'll find that the number of password candidates explode to three-quarters of a trillion. And don't forget that that if you don't know the length of your password, you have to search all of the possible combinations from a single-character password to the length of your choosing.

Can you see where this is going?

Sudoku puzzles have numbers from 1 through 9!

9 or 10 characters?

Sudoku puzzles have numbers from 1 through 9!

Sudoku puzzles have numbers from 1 through 9!

Fixed! Sorry. I usually play Sudoku variants.

I could understand that, but I left out that since I was trying to show a simple example of how permutations differ from combinations. As you pointed out, repetitions are allowed in passwords. I actually mention that in the sentence that follows in the next paragraph.

It wouldn't be easy from a design standpoint, cause now you're talking about fiddling with the design of the program.

The easiest way to slow down the verification portion of the password authentication process is increasing the number of transformation invocations for key generation. The problem is that this slows down the performance of your machine, even if you have the correct password.

That assumes WinZip and WinRAR supports them. To be honest, I haven't looked into that. Though, I'm inclined to believe that neither program supports them.

Saw something on this elsewhere recently (http://www.zdnet.com/blog/hardware/cheap-gpus-are-rendering-strong-passwords-useless/13125)

I've changed the password for important (tangible value) passwords such as that for my steam account to a password that now uses a few special characters, and some mixed up numbers, lower and upper case letters, totalling 18 characters. (lol)

Now I have a few different tiers of passwords, a now replaced 8 string of letters and numbers for unimportant things a couple of years ago, a now replaced string of 15 characters for semi-important things a couple years ago (have real world information or usefulness for a potential bad guy), their 8 and 15 respectively replacements and my new 18 character string for things that have definite tangible real world value to potential nasties.

And being only 15 I think I'm on the right track

The only thing that *really* worries me are the choice of security questions sometimes. If you're not allowed to pick your own, the answer would be easy to find on my Facebook page or similar (if I had one ) Mother's maiden name? There's a Facebook page for that.

Actually, AccentZIP and AccentRAR are real world derivatives of the ighashgpu program that Zdnet wrote about. Ivan Golubev actually wrote the code for all three programs and we had the pleasure of working with him to write this article. The difference is that with ighashgpu, you're mainly looking at hash cracking.

Linky Linky

Linky Linky

Interesting. According to the article, it seems that the password recovery speed is limited by the internet connection.

I seem to recall seeing someone mention that a pair of 590s was faster than 30000 passwords per second with Elcomsoft's GPGPU document cracker.

Heck, assuming only 2002 SHA-1 transformations, a single GTX 460 would be faster.

http://passwordadvisor.com/TipsUsers.aspx

Would also be interesting to see if Sandy Bridge AES instructions helps on brute force.