Knowledgebase : Password recovery

In modern world strong passwords are used by most applications and services. In case of strong password the recovery process may consume a very long time. Elcomsoft offers the solutions which significantly increase password recovery speed.

First of all you have to try all possible fast attacks: Dictionary and Brute-Force with mask. If you have tried those attacks with no success, only plain Brute-Force gives you a chance to recover a password.

  • Distributed computing. Use power of all available computers to get your password. We offer Elcomsoft Distributed Password Recovery, very powerful tool that supports hundreds of file formats.  
  • GPU acceleration. You can use modern graphic cards to accelerate password recovery. Our programs support AMD and Nvidia GPUs. Please read our GPU FAQ to get more information.

Password recovery for new file formats can be a very complicated task and may take a long time. In modern world password recovery speed becomes slower and slower, so simple Brute-force or Dictionary attack is not enough for effective password breaking. We can try to use the "human factor" for password recovery. Most of people don't use randomly generated strong passwords because they are very hard to remember. People invent they own password creation rules and think their passwords are strong.

For example, the rule can be as follows:

[My name] [Year of birth] [Some random characters, easy to remember] 

And the possible passwords are:


These passwords are very weak but cannot be recovered using simple Brute-force or Dictionary. We created our advanced attack engine to help to recover such passwords. 

The following attacks are available:

Word attack

This attack tries all possible variations of the given word and applies all possible mutations to each variation.

Dictionary attack

Dictionary options

Press "Add" to add dictionary file(s) to the list, "Remove" to remove the selected one(s), and "Up/Down" to change an order. 

Password mutation options

Here you select the name of the dictionary file, as well as the options that affect the speed and efficiency of the attack. All mutations are divided into a several 'classes' (described below). The program can set the mutation 'level' for every type, that allows to select between speed and efficiency. With the minimum level, the program checks only lowercase passwords, and performs basic mutations only: e.g. Border mutation uses not all special characters, but only digits, and only at the end of the password. For an intermediate level, more special characters are being used (both as prefix and as a suffix); and uppercase characters are also tested. At the maximum level, even more advanced prefixes and suffixes are added, but of course, it runs much slower (as far as more variations are checked).

  • Case mutation: the program checks variations of uppercase/lowercase characters. 
  • Digit mutation: adding several digits to the dictionary word as prefix and suffix. 
  • Border mutation: similar to the above, but adding not only digits, but also most commonly used combinations like 123, $$$, 666, qwerty, 007, ххх etc.; in addition, adding some chars at both end of the word, e.g. #password#, $password$ and more. 
  • Freak mutation: replacing some characters (one or more); for example, the word password will also generate p@ssword, p@$$word and p@$$w0rd. 
  • Abbreviation mutation: some commonly-used abbreviations like ihateyou - ih8you, loveyou - loveu, foryou - 4u etc. 
  • Order mutation: reversing the order (password - drowssap), repeating the word (password - passwordpassword), adding the reversed word (password - passworddrowssap). 
  • Vowels mutation: playing with vowels, e.g. psswrd, PaSSWoRD, pAsswOrd etc. 
  • Strip mutation: removing one char, e.g. assword, pssword, pasword... 
  • Swap mutation: replacing some characters, e.g. apssword, psasword, password... 
  • Duplicate mutation: duplicating the characters, e.g. ppassword, paassword, passsword, passwword etc. 
  • Delimiter mutation: adding delimters between characters: p.a.s.s.w.o.r.d, p+a+s+s+w+o+r+d, p-a-s-s-w-o-r-d. 
  • Year mutation: adding the year (four digits) at the end of the word: password1973, password2002.

Mask attack

With the mask attack, you can check for passwords with the known/complex structure. In the Mask field, you can select the mask using the following options:

  • ?? - the '?' symbol itself 
  • ?c - small Latin character (from 'a' to 'z') 
  • ?C - large Latin character (from 'A' to 'Z') 
  • ?$ - one of the special characters (small set): !@#$%^&*()-_+= and space 
  • ?@ - one of the special characters (large/complete set): !\"#$%&'()*+,-./:;<=>?@[\]^_`{|}~ and space 
  • ?# - any printable character with the code from 0x20 to 0x7F 
  • ?d - one digit (from 0 to 9) 
  • ?w[dictionary_name.udic] - words from dictionary
  • ?d(min-max) - a number from min to max. 
  • ?1..9(min-max) - min..max characters from custom set, min >= 0 

In order to use the last option, you should also create your (custom) own character set (below); each set has its own number. For example, assume that you password is formed as follows:

  • one capital letter 
  • from 3 to 5 small letters 
  • special character (from large set) 
  • from one to three digits 

In that case, the mask is going to be (assuming that the custom charset containing all small letters is created; if it is the only one, it will have the number 1):


Once the mask is properly set, you will see the Password total (the total number of passwords that fits into this mask), and Password range (first and last passwords to be checked):

Combination attack

This attack allows to test passwords that consist of two words, each of them taken from the dictionary (word list). Select the dictionaries in Dictionary 1 and Dictionary 2 fields (you can use the same file or different ones); and the additional options are:

  • Check upper- and lower-case combination 
  • Use word delimiters 
  • Use extra mutations 

With the first option, the program will try to capitalize the first letter of each word, i.e. testing all four combinations. The second option (Use word delimiters) allows to set the different characters (like dash and underline, though you can set any other ones as well) to be used between words. Finally, you can apply extra mutations to all resulting passwords (Dictionary mutations options will be used). The program tries to estimate the total number of passwords instantly, but mutations will not be counted (it is virtually impossible to do that).

Hybrid attack

This attack is similar to Dictionary attack described above, but all mutations are set by the user. Here you can select one or more dictionaries (wordlists), as well as several mutation rules. The rules are set in *.rul files; here are the ones coming with the program:

  • Common.rul – common mutation rules 
  • Dates.rul – date mutations 
  • L33t.rul – l33t 'language' 
  • Numbers.rul – manipulations with numbers 

The actual contents of *.rul file starts with [Rules] section (all text before this tag is ignored). Maximum length of one rule is 256 bytes. Maximum length of the output word (generated by the rule) should not exceed 256 characters, too. One line can contain several rules (any ones but aN); they are processed from left to right.

The syntax of mutations is fully compatible with Passcape and InsidePro software, and partially compatible with John the Ripper:

Token Description Example
: Do nothing, use the original input word
{ Rotate left password -> asswordp
} Rotate right password -> dpasswor
[ Delete the first character password -> assword
] Delete the last character password -> passwor
с Capitalize password -> Password
С Lowercase the first character, uppercase the rest password -> pASSWORD
d Duplicate password -> passwordpassword
Reflect password -> passworddrowssap
l Convert to lowercase PassworD -> password 
q Duplicate all symbols password -> ppaasssswwoorrdd
r Reverse password -> drowssap
t Toggle case of all characters PassWord -> pASSwORD
u Convert to uppercase pAssword -> PASSWORD 
V Vowels elite password -> PaSSWoRD
v Vowels noelite password -> pAsswOrd
'N Truncate the word to N character(s) length '4:
password -> pass 
>N Reject the word if it is less than N characters long. 0<=N<=35 (0,1,2,3,4,5,6,7,8,9,A,B,C..Z) >5:
password -> OK
pass -> not checked 
<N Reject the word if it is greater than N characters long. 0<=N<=35 (0,1,2,3,4,5,6,7,8,9,A,B,C..Z) <5:
password -> not checked
pass -> OK 
aN Check all possible symbol cases for the word. N is a maximal length of the word to apply this rule for. This rule CANNOT be used in conjunction with other ones! a2:
ab -> ab, aB, AB, Ab
abc -> abc 
DN Delete the character at position N D2:
password -> pasword 
pN Copy word N times. N = 3 .. 9 p3:
abc -> abcabcabc 
TN Toggle case of the character at position N. N = 0 .. 9 for the position 0 - 9, N = A .. Z for the position 10 - 35 T3:
password -> pasSword 
zN Duplicate the first character of the word N times. N = 1 .. 9 z2:
password -> pppassword 
ZN Duplicate the last character of the word N times. N = 1 .. 9 Z3:
password -> passwordddd 
$X Add character X to the end of the word $s:
password -> passwords 
^X Insert character X at the beginning of the word $1:
password -> 1password 
@X Remove all characters X from the word @s:
password -> paword 
!X Reject the word if it contains at least one character X  !a:
password -> not checked
Ohio -> OK 
/X Reject the word if it does not contain character X !o:
password -> OK
Adam -> not checked 
(X Reject the word if the first character is not X (p:
password -> OK
Texas -> not checked 
)X Reject the word if the last character is not X )a:
password -> not checked
Anna - OK 
%MX Reject the word if it does not contain at least M instances of the character X %2s:
password -> OK
Nexus -> not checked 
=NX Reject the word if the character at position N is not equal to the X  =0p:
password -> OK
John -> not checked 
iNX Insert the character X in position N i2S:
password -> paSssword 
oNX Overwrite a character in position N with the character X o2S:
password -> paSsword 
sXY Replace all characters X with Y ss$:
password -> pa$$word 
xNM Extract a substring of up to M characters length, starting from position N. M = 1 .. 9 for the length equal to 1 - 9, M = A .. Z for the length equal to 10 - 35 x44:
password -> word 

Your file is protected by a strong password which cannot be found instantly. Software developers are using strong encryption and hashing algorithms for data protection. In this case we cannot guarantee that the password will be recovered.

You can try to do the following steps to get your password: 

  • Run the Dictionary attack with all possible dictionaries. People usually use dictionary words as passwords. If the program allows to use dictionary mutations - use all of them. 
  • If the program supports Elcomsoft advanced attacks, please read this KB article and try to use all available information about your password.
  • If the Dictionary attack fails you have to try the Brute-Force. If you know some characters of the password, please try "Brute-force with mask". In this attack you also can set your specific character set if you have some assumptions about it. You have to understand that Brute-force attack for long and complicated passwords can take a lot of time. 
If attacks are running very slow, you can speed-up the password recovery process using the GPU acceleration or using multiple computers. Our programs support NVidia and AMD graphic cards. You can try our Elcomsoft Distributed Password Recovery to build your own password recovery cluster.
In a brute force attack, the program tries to guess your password by trying every single combination of characters until your password is found. For example, the program might follow a sequence like this: "aaaaaaaa", "aaaaaaab", "aaaaaaac" etc until the password is found. Obviously, this method will take time, for an eight character lowercase alpha password there are 200 Billion combinations to be checked. But with modern computers this sort of attack doesn't take as long as you might think. The brute force attack is the slowest method of password attack, but can often be successful on short and simple passwords.
With a dictionary attack, the program tries every word in a dictionary or multiple-dictionaries until your password is found. This method is popular because it is well known that many people use common words as passwords. Dictionaries with hundreds of thousands of words, as well as special, technical and foreign language dictionaries are available, as are lists of thousands of words that are often used as passwords such as "qwerty", "abcdef" etc.