If you've ever locked yourself outside of your house or apartment before, you probably know the pain, cost and time associated with hiring a lockpicker to help you get back in. Similarly, if you've ever locked yourself out of an important file, you might know the even greater cost and time of using a password recovery program to regain access to it.
Also called Password crackers, these 100% totally only ever used for legitimate purposes programs aren't necessarily anything new. Still, they tend to be expensive affairs that take longer than a human lifetime to get through well-designed passwords. With Ampere and Big Navi GPUs starting to hit the public, though, companies like Passcovery are advertising that they're more useful. Which could be helpful or threatening, depending on the user.
According to its LinkedIn (opens in new tab) profile, Passcovery's been around since 2008, but late last week, it issued a major update that allows you to lend Ampere processing power to it. We imagine that Big Navi will be added in due course.
For the unaware, Passcovery is a $40- to $400-per-year tool that specializes in recovering passwords for programs like the Microsoft Office suite as well as for iOS backups and Rar, Zip, and PDF files. It works by first mass-checking a dictionary of possible passwords called collisions against a locked file, then trying random combinations. So if your password is "gap" or "blasphemy," Passcovery would find it almost instantly, as those are "collisions," aka passwords already stored in its library. Otherwise, the program says that the average password recovery time (after the update) for something like a Word file is two hours.
That's supposedly 5-8 times faster than before, thanks to GPU acceleration including RTX 3000 and, eventually, Big Navi graphics cards. Code optimizations have also helped. For instance, the company said that while an earlier version of Passcovery running a GTX 1060 GPU could only try 669,000 passwords per second, the new suite can try up to 3.4 million passwords per second on the same hardware. (That's for Zip password cracking, incidentally.)
So, how helpful or dangerous is this? We downloaded the free demo to try out. Using a password-protected Microsoft Word document, our editor Jarred Walton put Passcovery to the test. He has a nine-character password protected Word document that only uses lower case letters, numbers, and a single exclamation point. Using those constraints and a brute force attack, he ran the demo on his computer, which has an RTX 3090 and an Intel Core i9-9900K, to see how quickly it would take to unlock the file.
The ETA? 141 years. And that's with a little help. If you want to do a full brute force attack, including capital letters and all special characters, it gets much worse. For a Word file, with a 10 character password length, the program says, "Sorry, but number of passwords is way too much to check in finite time. Please change the settings." Our take: Don't use a complex password, then forget it and hope one of these recovery tools will get you out of a jam. (No, Jarred didn't forget his password. This was merely a test.)
While Passcovery does work well to find passwords it already has collisions with, or any passwords that are just dictionary words, this means that even with the power of next-gen GPUs, the average person shouldn't have anything to worry about yet so long as you practice even modest password security guidelines.
Granted, if you get a whole farm of these programs all attacking the same file at once, you might run into issues. But unless you're a high level head-of-state or business executive, that's probably out of your concern.
Still, this program has potential personal use if you're willing to weaken your own passwords purposefully. Again, Passcovery's advertised default Word password recovery ETA is about two hours after this update. We're assuming that is time spent mostly going through its list of collisions and then through different combinations of letters.
If you limit your personal file passwords to ones that Passcovery can easily crack, you could then get some genuine use out of it. That means always using "well-known words with no special characters," as Passcovery describes it. But that's a big if, and not one we recommend.
While Passcovery is mostly used to crack locally stored files, which means they're less likely to be targeted by hackers, not using numbers or special characters in a password is a big risk in 2020, and kind of defeats the point. You might keep your files safer from prying family members, but that's about it.
There is another use to programs like this, of course, which is preying on the less tech-savvy who don't know how to make secure passwords. But nobody would do that, right?