If you've already read the article “The Password Recovery Process,” you're aware that we primarily use two methods for password recovery: dictionary-based attack (the preferred option) and brute force with a mask (highly resource-intensive). Below, we'll look at how likely it is to recover a password using each method.
We've compiled an extensive database of the most commonly used passwords — often referred to as “weak” passwords. These passwords, such as “123456,” “password,” “qwerty,” “abc123,” and others, are frequently chosen due to their simplicity and ease of remembering. Our database contains over 3 million such passwords, making files protected by these passwords highly susceptible to attacks.
Recovering a weak password typically takes only a few minutes for our computing cluster, and we offer this service completely free as a courtesy to our users. There's approximately a 22% chance your lost password matches one in our weak-password database. Given how quickly you'll receive an answer, it’s always worth trying.
If our weak password check doesn’t return a match, we move on to a deeper search through our main database of over 20 billion real passwords. To improve success rates, we also apply hybrid attacks that combine elements of dictionary and pattern-based methods. This process is more resource-intensive, can take up to 24 hours for strongly encrypted files (like MS Office 2019 documents or 7z archives), and comes with a fee. Still, the odds are much better: about 61% of recoveries using this method succeed.
A brute force attack theoretically guarantees a 100% success rate since it methodically checks every possible combination. However, the sheer number of possible combinations — even for relatively short passwords — can be astronomically high. For example, a 10-character password has 60 quintillion (60 × 1018) potential combinations, an impractical number even for supercomputers — and your wallet.
Therefore, brute force with a mask is most practical when you have partial knowledge about your password, such as its exact or maximum length and the specific set of characters used. For instance, an 8-character password using only uppercase English letters yields approximately 217 billion combinations — a feasible task for our GPU servers. Increasing the length to 9 characters pushes combinations up to 5 trillion. This task is considerably harder but remains manageable with sufficient resources and financial investment, typically requiring one to two weeks with our computing cluster.
We guarantee a 100% success rate provided that the mask you specify is correct. Even a small error or overlooked character can result in unsuccessful recovery.
Below is a summary table of the success probabilities for each password recovery method:
| Recovery Type | Estimated Time | Price | Success rate |
|---|---|---|---|
| Weak Password Recovery | Within a few minutes | Free | ≈ 22% |
| Strong Password Recovery | Up to 24 hours | From $29.00 | ≈ 61% |
| Brute Force | Time depends on mask complexity | On Request | 100% (if the mask is accurate) |
Copyright © 2017-2025 LostMyPass.com
