Yesterday I was contacted by a friend who was attempting to find the password to open some things she’d written in 2009 or so. To be clear, this was Microsoft Word encryption, not a password to modify. You could not open the document sans password and the contents were encrypted and could not be pulled by looking at the source to the document.
TL;DR – I am not putting the name of the product that worked here. This is a series of events and even though said product worked, we were astoundingly lucky. This is just a series of things that happened.
That renaming a doc/docx to a zip trick, no, that also only works with the password to edit feature. Also as a note Microsoft says there’s no way to do this. No, all the youtubes are for wrong! (yes, that last sentence was in Hyperbole and a Half.)
Her documents were encrypted with a password she said she thought she’d never forget. Yeah. About that.
We knew it was a word or two and no numbers, and if it were mixed case only the first letter would be capitalized. So this narrowed down possibilities to only about 30,000 common words of which we’d assume 5000, and at two words maybe 25 million possible passwords, and 50 million if the caps were used, if we were lucky. A 9-18 hour dictionary attack at the rates I was assuming we’d get.
I decided to put the new machine to it as other than sitting around bitcoin mining it was pretty inactive.
My first hurdle was finding software that works. You search for MS Word password recovery, you get a lot of options including several that don’t recover passwords, they simply remove the password required to edit or modify a document.
Now, the average user who is searching for these I’m assuming is in a blind panic, not realizing that every one of these softwares that claim to be free isn’t, and is willing to pay the piper in an attempt to crack a password.
I tried several Word password recovery sites, softwares, and such that were misstating what they do (removing a password to modify a word document is not cracking or recovering an encryption password,) and many that would string you along looking like they were working for several minutes (let’s say 5) before saying “the password is longer than 3 characters, you need to pay us $40 to continue” – uh yeah, at about 90 possible letters/symbols per position and 3 positions it ran through 730K passwords checked in 5ish minutes – the password would have come up somewhere between attempts 47,829,690,000,000 and 4,304,672,100,000,000.
In other words we’d be dead about the time it got to it. 9000-1.3 million years in the future. May have mathed that wrong, but over a week at least.
Knowing that it was words and no numbers sometime around the 7th software I tried a threw a brute force dictionary attack at it at 17 minutes later with the GPU pegged at 100% for the entire time, the password was discovered. It was one word, 9 letter long. The dictionary attack claimed it was pushing about 48K passwords a minute to a pretty decent GPU.
I was shocked that we got it. Software looked like crap, updated visuals once every minute or so. Just popped a word out that it was working on. No pause/resume only stop (meaning if I stopped it that was that, start over time,) and yeah. The idea that I’d done what should be a 9 hour minimum in 17 minutes was also blowing my mind. By blowing my mind I mean slightly interesting as a note. This was not exciting. I figure still I did the math wrong somewhere.
During this time I was working on a couple of machines and tried nine different password recovery softwares. One of which, and I really wish I’d kept better notes on this, flagged as a trojan. That piqued my interest so I slapped it in Windows Sandbox, ran it, and it did a whole lot of things to the sandbox’s registry and claimed that the documents I was attempting to decrypt had no password or were damaged. Nope, just a trojan that advertised on AdSense attempting to install *something*.
What it was, no clue. It’s gone with the sandbox.
Overall, she got extremely lucky due to an effectively shitty password. I got lucky because I didn’t run a virus/malware in desperation outside of Windows Sandbox.
I cannot stress enough that unless you make bad passwords, or short passwords on a regular basis I do not believe these password crackers will offer benefits at all, and they’re all $30-$40 a pop to even get to the point where you can tell if they’re doing anything.
Dearest password recovery people – rather than wasting 10 minutes of time running a 3-4 character attack, perhaps offer the full version except don’t give the password if you find it, charge them at that point… “well yes, we’ve found the password, done the work, we promise this is good, give us $40 and you can have your password.”
But if you think you had a shitty password when you encrypted all your MySpace poems in a word document titled “My top 8 heartbreaks” go ahead and look at password recovery software.