Tested: Does Ampere Make Password Crackers Useful?
Not if you practice responsible password generation.
If you've ever locked yourself outside of your house or apartment before, you probably know the pain, cost and time associated with hiring a lockpicker to help you get back in. Similarly, if you've ever locked yourself out of an important file, you might know the even greater cost and time of using a password recovery program to regain access to it.
Also called Password crackers, these 100% totally only ever used for legitimate purposes programs aren't necessarily anything new. Still, they tend to be expensive affairs that take longer than a human lifetime to get through well-designed passwords. With Ampere and Big Navi GPUs starting to hit the public, though, companies like Passcovery are advertising that they're more useful. Which could be helpful or threatening, depending on the user.
According to its LinkedIn profile, Passcovery's been around since 2008, but late last week, it issued a major update that allows you to lend Ampere processing power to it. We imagine that Big Navi will be added in due course.
For the unaware, Passcovery is a $40- to $400-per-year tool that specializes in recovering passwords for programs like the Microsoft Office suite as well as for iOS backups and Rar, Zip, and PDF files. It works by first mass-checking a dictionary of possible passwords called collisions against a locked file, then trying random combinations. So if your password is "gap" or "blasphemy," Passcovery would find it almost instantly, as those are "collisions," aka passwords already stored in its library. Otherwise, the program says that the average password recovery time (after the update) for something like a Word file is two hours.
That's supposedly 5-8 times faster than before, thanks to GPU acceleration including RTX 3000 and, eventually, Big Navi graphics cards. Code optimizations have also helped. For instance, the company said that while an earlier version of Passcovery running a GTX 1060 GPU could only try 669,000 passwords per second, the new suite can try up to 3.4 million passwords per second on the same hardware. (That's for Zip password cracking, incidentally.)
So, how helpful or dangerous is this? We downloaded the free demo to try out. Using a password-protected Microsoft Word document, our editor Jarred Walton put Passcovery to the test. He has a nine-character password protected Word document that only uses lower case letters, numbers, and a single exclamation point. Using those constraints and a brute force attack, he ran the demo on his computer, which has an RTX 3090 and an Intel Core i9-9900K, to see how quickly it would take to unlock the file.
The ETA? 141 years. And that's with a little help. If you want to do a full brute force attack, including capital letters and all special characters, it gets much worse. For a Word file, with a 10 character password length, the program says, "Sorry, but number of passwords is way too much to check in finite time. Please change the settings." Our take: Don't use a complex password, then forget it and hope one of these recovery tools will get you out of a jam. (No, Jarred didn't forget his password. This was merely a test.)
Stay On the Cutting Edge: Get the Tom's Hardware Newsletter
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
While Passcovery does work well to find passwords it already has collisions with, or any passwords that are just dictionary words, this means that even with the power of next-gen GPUs, the average person shouldn't have anything to worry about yet so long as you practice even modest password security guidelines.
Granted, if you get a whole farm of these programs all attacking the same file at once, you might run into issues. But unless you're a high level head-of-state or business executive, that's probably out of your concern.
Still, this program has potential personal use if you're willing to weaken your own passwords purposefully. Again, Passcovery's advertised default Word password recovery ETA is about two hours after this update. We're assuming that is time spent mostly going through its list of collisions and then through different combinations of letters.
If you limit your personal file passwords to ones that Passcovery can easily crack, you could then get some genuine use out of it. That means always using "well-known words with no special characters," as Passcovery describes it. But that's a big if, and not one we recommend.
While Passcovery is mostly used to crack locally stored files, which means they're less likely to be targeted by hackers, not using numbers or special characters in a password is a big risk in 2020, and kind of defeats the point. You might keep your files safer from prying family members, but that's about it.
There is another use to programs like this, of course, which is preying on the less tech-savvy who don't know how to make secure passwords. But nobody would do that, right?
Michelle Ehrhardt is an editor at Tom's Hardware. She's been following tech since her family got a Gateway running Windows 95, and is now on her third custom-built system. Her work has been published in publications like Paste, The Atlantic, and Kill Screen, just to name a few. She also holds a master's degree in game design from NYU.
-
Darkbreeze Why is this even an article on what is supposed to be a reputable tech site? In the past we'd have likely deleted any post like this that came up in the forums. The fact that it's not actually IN the forums, shouldn't make much difference. It's bad form.Reply -
Olle P What I get out of this article is thatReply
Strong passwords are still difficult to brute force.
It's possible to recover ones own files if you know parts and/or some details of the password used, greatly reducing the remaining number of options. -
nofanneeded Quantum computing will change all that ... which can be 10^8 faster per core ( yes 100 millions times faster) in some calculationsReply -
JarredWaltonGPU
A PR blast went out from the company. This is not the type of PR coverage they're looking for, of course, because we just showed that it's basically a scummy program. And we then took time to provide a PSA effectively saying, "Make sure you use strong passwords." We debated coverage vs. no coverage, and felt that not covering it didn't mean the information wouldn't get out to the people who would use this sort of program, and second we could provide some real-world testing with a 30-series GPU and discuss our findings. We did both.Darkbreeze said:Why is this even an article on what is supposed to be a reputable tech site? In the past we'd have likely deleted any post like this that came up in the forums. The fact that it's not actually IN the forums, shouldn't make much difference. It's bad form.
The basic PR is about how awesome Passcovery is and how it can crack a Word document password in about two hours. The reality is that it's not very good at all for anyone with even a modestly secure password. I ran additional tests, using password protected Zip files (which can be attacked much faster than Word docs).
Random 5-character password with upper, lower, number, and symbol. (q9H3#). Passcovery ran through its default test and failed to find the password.
I tried the name of a book (Don Quixote), no caps and no spaces. It's number three on this list of the greatest books ever written. I even used the relatively weak ZIP/Classic password protection, which appears to have a cracking speed of around 200 million passwords per second (!?). Passcovery tried 40 billion passwords and failed to find one.
I tried my name, on an AES-encrypted Zip file, no spaces or caps (jarredwalton). Note that 'jarred' is actually a word, though 'walton' is only a name. Still failed. (I used AES because it's stronger and Passcovery doesn't attempt a brute force of all 7 (?) character and fewer passwords.)
At this point, I wasn't sure the utility worked at all, so I intentionally tried very weak passwords. 'password' was found very quickly and the program reports 'pa*' as the solution. 'godsmack' (a band name) was also found, but took a bit longer. 'hello123' was found after about 20 seconds. 'Hello123' was also found. 'hell0321' was not found.
I went back to the first 'random' password, and ran a brute force attack on the file using all letters (upper and lower case), numbers, and 'special numbers' (basically the shift version of the numbers -- !@#$%^&*() --which bumped the search time to five minutes (the full 'all special characters' search would have required 30 minutes). I had to retest with a second password that I wrote down just to make sure, because this seemed to fail the first time I tried it, but it worked on the second password.
Basically, you have to intentionally use a very weak and/or short password if you want this program to work. The collision range is seemingly large (about 235 million passwords), but when you consider the permutations it ends up extremely limited. Even picking three not-very-random words is generally sufficient to get your password outside the scope of such utilities. For example, 'threewordpass' was not found. Any two English words, no special characters, all lowercase (or maybe only the first letter uppercase -- 'hEllo123' is yet another relatively simple and short password that was not found), and it might work.
So if this were a 'review' we'd be saying:
Pros:
1) There's a trial so you can attempt to crack a document before paying (but only for 30 minutes of searching)
Cons:
This is scammy software that gives a false sense of hope if you've lost a password
It costs way too much and can't crack even modest passwords
The only people likely to use it are probably using it for nefarious reasons
One star -- it gets more than a zero because it actually can crack simple passwords, but people shouldn't use simple passwords. Especially in 2020.
Fun Fact: I have a password protected Word document where I write down all my passwords for important stuff, in case I ever die and my wife needs to get access. She's forgotten the password and existence of this file many times, sadly, so I'm not sure it will help her much in the event of my demise. Also, even with a relatively simple 10 character password, Passcovery could not crack it. A brute force attack of limited complexity has an ETA of 9362 years. Full complexity for Latin only has an ETA of 74,504,186 years. (That's 96 characters to the power of 10, or: 66483263599150104576 potential passwords. Brute force is the death of password crackers.)
But hey, the brute force attack of all 5-character passwords that worked on step 4 would 'only' take 20.3 hours (instead of five minutes for a Zip file). Like I said: scummy and scammy software. -
lolno The quality of articles on this site has taken a real dive lately... you'd think the poster would understand some very basics of hashing, such as the difference between hash collisions and rainbow tables. Good job misinforming your readers.Reply -
JarredWaltonGPU
Tom's Hardware, successfully going downhill since 1996!lolno said:The quality of articles on this site has taken a real dive lately... you'd think the poster would understand some very basics of hashing, such as the difference between hash collisions and rainbow tables. Good job misinforming your readers.
What would a discussion of rainbow tables or hashing functions change in this piece? The software will still fail to crack most passwords of even modest complexity. It's the same old story: if your password is a common word or phrase (whether it's found in a dictionary of passwords or in a rainbow table of precomputed hashes of passwords), it's an insecure password. And if it's not in one of those, then Passcovery and other tools aren't likely to help. -
Darkbreeze Fair enough, but it might have been a lot more palatable to have EARLY in the article, alluded to the fact that the piece was written more for making the point that the software (Which most wouldn't have ever heard of anyhow unless they were already intending nefarious behavior, but now, assuredly, a whole new generation of wannabe kiddie hackers is aware of it) was "scummy and scammy" rather than what it APPEARS to be, which is that these GPUs are powerful and better able to take advantage of illicit software that previously wasn't very effective because it took so long to use, but now works much faster. Not sure I'm convinced either way, and I guess it doesn't really matter what I think, but it IS my opinion, and obviously it's shared as it was discussed elsewhere already anyhow along with some comments here that were in line with those opinions as well.Reply
But as I said, fair enough. Plausible deniability and all that. -
JarredWaltonGPU
It's really not that much faster. Eight times faster than before? That's nothing. One extra character on a password is potentially 96X more complex. The real question is whether or not quantum computing will come along in a practical form and make all of these old-style password schemes pointless. I have my doubts -- serious doubts -- that will ever actually happen, at least in my lifetime, for many reasons. One of the big ones: Google, IBM, Intel, etc. don't want to churn out hardware that will make everything insecure. If QC actually is excellent at breaking passwords, big corporations will keep it out of the public until new security mechanisms are in place. That's my bet. Plus, while QC will be good for certain tasks, even if it's a million times faster at cracking passwords than current PCs ... well, you just make your algorithm 30 bits longer, or add six characters, and it's back to being effectively unsolvable.Darkbreeze said:Fair enough, but it might have been a lot more palatable to have EARLY in the article, alluded to the fact that the piece was written more for making the point that the software (Which most wouldn't have ever heard of anyhow unless they were already intending nefarious behavior, but now, assuredly, a whole new generation of wannabe kiddie hackers is aware of it) was "scummy and scammy" rather than what it APPEARS to be, which is that these GPUs are powerful and better able to take advantage of illicit software that previously wasn't very effective because it took so long to use, but now works much faster. Not sure I'm convinced either way, and I guess it doesn't really matter what I think, but it IS my opinion, and obviously it's shared as it was discussed elsewhere already anyhow along with some comments here that were in line with those opinions as well.
But as I said, fair enough. Plausible deniability and all that.
I also sit firmly in the camp of not trying to hide things from people. The 'bad people' wanting to use password crackers are surely already aware of tools that are far more damaging the Passcovery. If someone first learns of it here and ultimately tries to put it to use for nefarious purposes ... I'm not feeling very threatened by such a user. "Tom's Hardware says this thing isn't very good at cracking passwords. I'll show them!" -
Darkbreeze It doesn't really matter how you or I feel about it, it's a matter of how does it look to the average person viewing articles like this through the microscope of their own perceptions. I just think it's contrary to the kinds of things TH has always stood for, but it's ok. As you say, there's been a decline in that regard for a while now and no one article is going to facilitate the demise of this community. It's not that bad really, but it just kind of leaves a bad taste in the mouth of members and moderators that have been trying to help preserve the purity of the product for a long time now. Anyhow, that's just my opinion anyway. No big deal.Reply -
jkflipflop98 JarredWaltonGPU said:It's really not that much faster. Eight times faster than before? That's nothing. One extra character on a password is potentially 96X more complex. The real question is whether or not quantum computing will come along in a practical form and make all of these old-style password schemes pointless. I have my doubts -- serious doubts -- that will ever actually happen, at least in my lifetime, for many reasons. One of the big ones: Google, IBM, Intel, etc. don't want to churn out hardware that will make everything insecure. If QC actually is excellent at breaking passwords, big corporations will keep it out of the public until new security mechanisms are in place. That's my bet. Plus, while QC will be good for certain tasks, even if it's a million times faster at cracking passwords than current PCs ... well, you just make your algorithm 30 bits longer, or add six characters, and it's back to being effectively unsolvable.
I also sit firmly in the camp of not trying to hide things from people. The 'bad people' wanting to use password crackers are surely already aware of tools that are far more damaging the Passcovery. If someone first learns of it here and ultimately tries to put it to use for nefarious purposes ... I'm not feeling very threatened by such a user. "Tom's Hardware says this thing isn't very good at cracking passwords. I'll show them!"
Actually, Intel/AMD/Nvidia/IBM/Whoever would love to be the first to market a full-on quantum chip to the masses. Imagine the buying frenzy that would ensue once you know that anyone with one of these fancy new quantum PCs can just walk right into your system like you left the keys in the lock.
Great article, Jarred. As usual.