Need to crack someone else's password?

Tool helps investigators unlock passwords and crypto keys

Passwords are intended to let only authorized users access files and information while keeping everyone else out. But what do you do when, for a legitimate reason such as an investigation, you need to know someone’s password?

If you don’t have the owner’s cooperation, there are tools available to help locate or guess passwords and cryptographic keys, such as Passware Kit Forensic, which scans computers for password-protected files and then searches for the passwords using algorithms to uncover them.

Passware is a password recovery and electronic discovery company, whose customers include the Internal Revenue Service, Secret Service, Senate, Supreme Court, and the Defense, Justice and Homeland Security departments. The kit’s tools can enforce password policies or recover passwords.


Related stories:

Access control is easy — unless you're doing it for everyone

Will digital certificates replace passwords?

Crowbar cracks SD cards and retrieves data without a trace


Sometimes the task is easy, even if the passwords are encrypted.

“It’s not really secure,” Passware president Dmitry Sumin said of the Web browser-based encryption commonly used to protect passwords. And Microsoft’s Office 2003 uses a 40-bit encryption key to protect files. “It is possible to find the key based on the file type” in a matter of minutes, he said.

Full-disk encryption, done right, can be nearly impossible to crack, he said. “If the encryption is strong enough, we use dictionary and brute-force attacks.”

The point of strong passwords and encryption is to make guessing keys and passwords through brute-force attacks difficult. But Passware addresses that challenge through distributed computing, harnessing the computing power of multiple workstations to work on a single password or key problem. Software agents installed on networked computers take advantage of unused computing cycles to speed the process. Passware Kit can support hundreds of agents, although adding even a few additional computers on a task can noticeably speed the process, Sumin said.

Passware Kit also supports hardware accelerators, such as graphics processing units and Tableau TACC1441 hardware, to hasten the process.

However, the software does not need to rely solely on chance and brute force. Knowing the encryption algorithms and password policies that protect files can help tell it what to look for, which reduces the odds somewhat.

That still does not guarantee success against a determined adversary with good tools, Sumin said.

“If we’re talking about a highly paranoiac pedophile, it could be impossible to get into the file,” he said. Passware Kit is one more tool in the investigator’s kit. “We are improving the chances.”

About the Author

William Jackson is a Maryland-based freelance writer.

Featured

  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.