There are several methods for recovering the original password ranging from brute force to very complex rule-based attacks. Brute-force attacks are a last resort when all other options are exhausted. What can you reasonably expect of a brute-force attack, what is the chance of success, and how does it depend on the password and the data? Or just “how long will it take you to break it”? Let’s try to find out.

The brute force attack

Encrypted volumes, archives, mobile backups, Microsoft Office documents and other types of data employ secure encryption based on a long encryption key. Attacking binary encryption keys without a currently non-existing quantum computer is pointless, so we have to resort to attacking the original password, which at least gives us a chance of success. Therefore, we’re back to attacking the good old plain-text password to decrypt the data.

In this context, ‘attacking’ a password would mean trying various password combinations to find one that fits. There are different types of attacks. For example, the brute force attack would simply try all possible password combinations starting with “0” and followed with “1”, “2”, …, all the way to “ZZZZZZZZZ” or whatever the last character or special symbol there is instead of the “Z” in the chosen character set.

Since brute force is extremely inefficient for longer passwords, other types of attacks were invented to reduce the number of passwords to try. Dictionary attacks try using words from the dictionary of English language (and/or the user’s native language) as possible passwords. This would commonly include phrases and mild mutations, such as “Password1979” or “LisaPassword1”.

Dictionaries can be built from passwords extracted from other sources (e.g. from Web browsers). ElcomSoft offers a number of tools allowing to extract available passwords from the user’s computer and automatically build a custom dictionary.

So, technically speaking, there are several things affecting how fast you can break the password:

• The number of passwords to try
• Recovery speed measured in the number of passwords we can try per second

Password length and smart attacks

The number of passwords to try depends both on the length and complexity of the password itself as well as on the type(s) of attack we choose to break a given password.

Let’s clear password complexity first. Let’s look at the following charts:

You can see that password recovery speeds vary greatly depending on the data format (more on that later). For Microsoft Office 2013 documents, we can realistically try about 7000 passwords per second if we use a single GPU acceleration unit. What does that mean, exactly? It depends on how many passwords you are about to try.

Using an online password strength meter, we can calculate the exact number of possible combinations for passwords of different length and complexity. A simple password that consists of 6 lower-case letters and no numbers already has 309 million possible combinations. With a computer equipped with a GTX 1080 board that is capable of trying 7100 passwords per second (Microsoft Office 2013) you’re looking at 12 hours of straight brute-forcing. Bump the password to 8 characters, add upper-case letters and include numbers, and you’ll have 2.8 trillion possible combinations. This takes 12.5 years to break.

In other words, you’re looking at the following real-world recovery speeds:

As you see, the answer to “how long will it take?” depends greatly on the password itself.

Of course, you can limit the scope of the recovery by either using a custom dictionary consisting of user’s real passwords, or employing a readily available dictionary that consists of 10,000 most popular passwords from the recent leaks. This gives you a certain chance to break even the most complex password in a matter of minutes. These two methods are discussed in the following chapters.

Factors affecting attack speeds: password length, complexity, data format and hardware

We already posted these charts, but let’s have another look:

As you can see, the speed of attack (the number of passwords a given computer can try per second) depends on two major factors: the encryption algorithm of the protected data format, and the speed and architecture of the computer performing the attack.

The third major factor affecting the speed of the attack would be the password recovery tool itself, its optimization level as well as the ability to make use of available computational resources. We’re using Elcomsoft Distributed Password Recovery, one of the most advanced tools on the market, so at least this factor is not at play.

Depending on the data format, attack speeds may widely differ even when running on the same hardware. And even within a certain data format, the numbers may change depending on the particular implementation of the algorithm. Let’s take one example:

• iOS 9 (CPU): 2,400 passwords per second (Intel i5)
• iOS 9 (GPU): 150,000 passwords per second (NVIDIA GTX 1080)
• iOS 10.0 (CPU): 6,000,000 passwords per second (Intel i5)
• iOS 10.2+ (CPU): 0.05 passwords per second (or 5-6 per minute) (Intel i5)

Back in 2016, we discovered a bug in iOS 10. Apple screwed security of iTunes backups, allowing us to try some six million passwords per second using a single CPU unit. After we published a report, Apple has quickly fixed the problem. In iOS 10.2, they went overboard and made password recovery speed extremely slow with only 5-6 passwords per minute when using a CPU, or just a few passwords per second when using a GPU. This effectively rules our brute-force attacks, only allowing for highly targeted dictionary attacks.

Another example. Microsoft appears to tighten security with every major release of Microsoft Office. While files saved by Office 97-2000 applications could be recovered near instantly, Office 2010 was already much more secure:

Office 2013 documents become significantly slower to break with only 30 passwords per second using a CPU or about 7100 passwords per second using a GPU. Office 2016 is slower yet. Compare that to over 1 million passwords per second for OpenOffice documents (via GPU), and you’ll begin understanding how much of a difference the data format can make.

What do these numbers mean in real terms? Let’s look at the following table.

You can see that, for example, breaking a Microsoft Office 2013 document with a CPU alone via plain brute force can help you find a 6-character passwords consisting of lower-case letters only in 119 days (on a CPU) or in about 10 hours (if you use a single video card with a powerful GPU for hardware acceleration).

Should the user employ a significantly more complex password such as one consisting of 8 mixed letters (in both cases) and numbers, you’re looking at spending some 975 years brute-forcing that password with a single GPU.

If you have better plans for the next millennium, you can build a powerful cluster to speed up the attack. For example, you can equip each computer with 4 high-end video cards, which will cut the time from 975 years to “only” 243 years. From there, you can start adding computers to your cluster. Use a cluster of 500 computers, and you’re looking at 6-month timeframe for breaking that password. Whether it’s worth it or not is another story.

What if the user has at least one special character (such as #, $ or %) in their password? The use of special characters increases the time required to break the password by the factor of 33, meaning that the password you thought would only take a day to recover will suddenly require a full month of crunching.

You can play with the number of possible combinations by using the following password strength meter:

Password Meter – A visual assessment of password strengths and weaknesses (uic.edu)

As an example, let’s take the simplest password that only consists of one character.

• Numbers only: 10 possible combinations
• Small letters only: 26 combinations
• Numbers and small letters: 36 combinations
• Numbers, small and capital letters: 62 combinations
• Numbers, letters in both cases, and special characters: 95 combinations

Calculating the number of passwords consisting of those character sets is as easy as raising the number of (possible combinations) to a power of (password length).

For example, a numerical password consisting of two digits has 10^2, or 100 possible combinations.

A 6-character password that consists of small letters only will have 26^6, or 308,915,776 combinations, and so on.

Conclusion

Knowing just how long it will take to break passwords of a certain length (number of characters) and complexity (the character set) allows calculating the resources you’ll need to break that password during a set period of time, or calculate the period of time it will take to break that password with your existing resources. Statistically, passwords are frequently reused, so a dictionary attack based on the user’s existing passwords may have a greater chance of success compared to plain brute-force. If no information about the user’s existing passwords is available, a dictionary attack based on the top 10,000 most common passwords followed by an attack using an English and/or native language dictionary might work. Brute-force attacks should be left for attacking shorter and simpler passwords such as PIN codes or digit-only passwords.