If you have already read the article “The Password Recovery Process,” then you know that we use two methods to recover passwords: brute force by dictionary (the best option) and brute force with a mask (very resource-intensive work). Next, we will calculate the chances of recovering the password for each method.
We have collected quite a good database of the most popular (or weak, in other words) passwords. These are commonly used passwords that have been repeatedly chosen by different people to protect their personal data. The top list begins with the well-known “123456,” “password,” “qwerty,” “abc123,” etc., and contains more than 3 million of the most popular passwords. Such passwords are often used because of user laziness and unwillingness to remember a complex password, which makes it very vulnerable to a hacker.
Recovering a weak password is only a few minutes of work for our computing cluster. We do this for free as a gift to our visitors. The chances that your lost password is in the list of weak passwords is about 22%. But, considering the instant results, it's worth trying.
If the weak password attack was unsuccessful, we proceed to the second stage: the search through the main password database. The database contains more than 20 billion real passwords. Searching through such a large dictionary takes much more time (up to 24 hours for strong encrypted files like MS Office 2013 documents and 7z archives) and costs some money. But the chances that you will recover your lost passwords are much higher: according to our statistics, the search ends successfully in 61% of cases.
A brute force attack has a 100% chance of success, because it is a direct search through all possible variants. But you need to remember that the number of variants even for a comparatively short password is very large. For example, there are 67 quintillion (67 * 1018) possible variants for a 10-character password. This is an almost impossible task for most supercomputers, and for your wallet.
So, a brute force attack is usually used when you know the password structure. For example, you know the maximum (or better, exact) length of the password and the set of symbols used in it. Let’s say the lost password has an 8-character length and consists only of the English alphabet letters in the uppercase, so there are only 217 billion variants. This is not an impossible task for a powerful GPU server. If the password length is 9 characters, then the number of possible variants increases to 5 trillion. That task is much more complicated, but with a strong desire and your financial support, it is quite solvable: it would take a week or two for our computing cluster to find such a password.
We guarantee 100% success if you specify the correct mask, that is the most important condition. Even one small mistake, a digit or a sign that was not taken into account, can lead to a fiasco.
Summarizing all the above, we compiled a table of chances for successful password recovery:
| Type of attack | Duration | Cost | Chances for success |
|---|---|---|---|
| Weak password recovery | A few minutes | Free | ≈ 22% |
| Strong password recovery | Up to 24 hours | from $9 | ≈ 61% |
| Brute force with a mask | Depends on the mask and its complexity | On request | 100% (if the mask is correct) |
Copyright © 2017-2018 LostMyPass.com
