Skip to main content

Harden Up: Can We Break Your Password With Our GPUs?

Password Cracking: CPU-Powered

There are a myriad of programs to choose from for recovering passwords, but two most popular programs are Advanced Archive Password Recovery and Visual Zip Password Recovery Processor. When I lost the password to my WinZip file, I was able to use the first to recover a seven-character-long password within 20 minutes. But this got me a bit curious. How fast was my computer searching for passwords? What would have happened if I had used a stronger encryption method, like AES-128?

More important: are all of your password-protected archives really only 20 minutes away from being opened by someone who shouldn't have access to them?

Brute-Force Attack SpeedPasswords Per SecondAdvanced Archive Password RecoveryVisual Zip Password Recovery Processor
Compression: NoneEncryption: Zip 2.028 357 31120 943 157
Compression: None Encryption: AES-1289715fail
Compression: None Encryption: AES-2569713fail
Compression: Zip Encryption: Zip 2.028 492 73320 888 938
Compression: Zip Encryption: AES-1289733fail
Compression: Zip Encryption: AES-2569760fail
Compression: RAR Store Encryption: AES-128213-
Compression: RAR Store Encryption: AES-128, File Names202-
Compression: RAR Normal Encryption: AES-128213-
Compression: RAR Normal Encryption: AES-128, File Names202-

As you can see, compression has a minor effect on the speed at which you can try plugging in passwords, but the biggest weakness is in the older Zip 2.0 encryption scheme. As a result, a five-character password is detected in just a few seconds because you can crunch about 28 million passwords per second using a Core i5-2500K. Visual Zip also found the correct password in the Zip 2.0 encryption method, but due to a software problem, it cannot detect a password of any length encoded in AES-128.

Of course, this doesn't really tell the full story. We don't care about speed for the sake of showing off what a new CPU can do (though this could, in fact, make an interesting benchmark). We care about it because it affects the speed at which I can recover a password.

Total Time for Search If You're Churning Through 28 Million Passwords/SecondPasswords Between 1 and 4 CharactersPasswords Between 1 and 6 CharactersPasswords Between 1 and 8 CharactersPasswords Between 1 and 12 Characters
Lower-caseinstant11 seconds2 hours112 years
Lower-case and Upper-caseinstant12 minutes22 days451 345 years
All ASCII characters3 seconds7 hours8 years701 193 345 years

Even if you assume that you can try 28 million passwords per second, your chances of guessing the right one get increasingly dim as you move to longer passwords and larger character sets. Spending a whole month to crack an eight-character password composed of letters isn't a terrible prospect if the protected data is really important. But 700 million years is probably too long to ask you to wait.

Fortunately, Advanced Archive Password Recovery allows you to pause and save the position of your search. And, if you have a few computers at your disposal, you can really cut down on the time investment by distributing the workload. Getting scared yet?