[Review] ZIP RAR ACE Password Recovery

{rw_text}Giveaway of the day for March 9, 2009 is:

ZIP RAR ACE Password Recovery

Version Reviewed:

1.73.02

Software description as per GOTD:

ZIP RAR ACE Password Recovery is a program to recover lost or forgotten passwords on ZIP, RAR and ACE archives.

Features:

  • The program has a convenient user interface;
  • The program can work with archives containing only one encrypted file;
  • RAR Archives (All versions including v3.x) are supported;
  • RAR Archives with encrypted Filenames supported;
  • Multi-volume RAR archives are supported;
  • ZIP Archives support;
  • ACE Archives support;
  • Self-extracting archives are supported;
  • Archives created by various software packages are supported;
  • The program is very customizable: you can set the password length, the character set to be used to generate the passwords, mask character, and a couple of other options;
  • You can select the custom character set for brute-force attack (non-English characters are supported);
  • Brute-Force attack;
  • The “brute-force with mask” attack (with custom mask character) is available;
  • Dictionary-based attack is available Autosave password search state and resume after a stop or a crash;
  • Extract tool for ZIP, RAR and ACE archives. The maximum password length is not limited;
  • CPU Priority control is available;
  • Full Skinning Support.

————————-{/rw_text} –>

{rw_good}

  • Has brute force and dictionary attack.
  • Ability to add a ‘mask’ to help with brute force attack.
  • Supports ZIP, RAR, ACE and SFX archive files.
  • Supports multi-volume RARs.
  • You can drag + drop files into the program.
  • You can save your ‘attack’ and start from that point again later.
  • Fairly straightforward.

{/rw_good} –>

{rw_bad}

  • Relies too much on brute force attack.
  • Interface is a bit too cluttered.

{/rw_bad} –>

{rw_score}
{for=”Features as Described” value=”10″}I did not find a feature that did not work as claimed by the developer.
{/for}
{for=”Ease of Use” value=”10″}Literally point click and wait .
{/for}
{for=”Performance” value=”7″}The actual performance of this program depends on the password of the archive you are trying to recover. However I feel this program depends too much on brute force.
{/for}
{for=”Usefulness” value=”6″}Nowadays with everyone moving off the standard password protect to encryption, this program is not going to be very useful except for maybe old archives.
{/for}
{for=”Arbitrary Equalizer” value=”7″}This category reflects an arbitrary number that does not specifically stand for anything. Rather this number is used to reflect my overall rating/verdict of the program in which I considered all the features and free alternatives.
{/for}
{/rw_score} –>

{rw_verdict}[tup]
{/rw_verdict} –>

Just got home from work (yes I work; how else to pay the bills?) and thought I should write up this review before I get angry people threatening me with pitchforks (that’s a joke). Update: While I was dilly-dallying Jean, a frequent to dT, was kind enough to spend the time to write his/her own review on ZIP RAR ACE Password Recovery. You are welcome to read it along with my review below: click here please to access Jean’s review (it is in .DOC format).

Okay so registration and installation went fine as it usually always does.

ZIP RAR ACE Password Recovery is a program that is supposed to help you recover passwords from your files (obviously it can also be used to recover the password from files belonging to other people). The program is actually quite simple: it relies heavily on brute force attack but it also has an extra single word dictionary attack. Brute force can be supplemented with a ‘mask’ that helps you minimize how many characters the program has to guess. However there is one thing to note: this program is meant to help break files that are protected with simple, low-level, easily breakable password protection. This program does not work on encrypted files and no one should expect it to because if a program like this could break encryption then encryption would be pretty useless.

This is what the program looks like:

2009-03-09_152012

The interface looks a bit more overwhelming that it should in my opinion. I would have liked to see all the buttons from “Open” to “Exit” moved up into the menu bar; also move the “Minimize to Tray” and “Priority” out of the main program window and into the menu bar. Lastly, only show “Mask” and “Dictionary” if those options are selected. This will help cut down on the feeling of “wow how do I work this program”.

So anyway, ignoring how overwhelming the interface is, the program is actually very simple to use. You can either manually browse for the file you want to try to recover the password to or you can drag + drop the file into the program and it will be automatically detected. You can try to recover the password from the following file types:

2009-03-09_153157

Once you have chosen the file you want to ‘attack’, you must decide what type of ‘attack’ you want to do:

2009-03-09_153541

As you can see there are only three types:

  • Brute-force – this type of attack is literally what it sounds like. It will go through and try possible password combinations and will keep trying password combinations until one is found that works. If you chose brute force, you will also have to decide what character set you want the program to create its password combinations out of:

2009-03-09_153749

So if you know that the password of the file you are trying to recover consists of lowercase letters and numbers, leave the character set at “Latin” and “Digits”. That way the program will go through and try all lowercase and letter combinations until it finds the right one. If you know that the password also includes capital letters, check “Caps latin” also. The more character sets you have the longer it will take for the program to find the right password.

Additionally when you chose brute force, you have the ability to set the “starting point” of the brute force attack:

2009-03-09_154604

For example if you know the password you are trying to recover is 4 characters in lenght, you can set the “Minimal Length” to 4 so only passwords with 4 characters or more will be tried. That helps you save time.

  • Mask – mask is actually just a supplement to brute force. With mask you have the ability to define certain characters of the password which helps limit down on password combinations that the program has to try. For example, you know that the password of the file you are attacking starts with the word “friend” and has 3 numbers at the end. However you don’t know what these three numbers are. With mask you can define “friend” and have the program try to figure out the end 3 numbers:

2009-03-09_155019

The mask does not have to be at the end of the word. It can also be in the middle. For example you know a password starts with “x” and ends with “52” but you don’t know the three middle characters. You just set the mask to “x???52”:

2009-03-09_155159

Using a mask helps cut down on the password combinations the program has to try which cuts down on the amount of time you must run the attack for. For example, keeping with the example above, lets say the password you are trying to recover is “xtwo52”. Without the mask the program would have to run all possible password combinations until it found xtwo52. However with the mask, the program only has to run password combinations of the three middle characters since it already knows the starts and begining. The program will find 3 characters much faster then it will find six. Note that the program still uses brute force when you select “Mask” recovery type so everything with brute force still applies to “Mask” (bar “Minimal Lenght” but you define your password length with mask anyway).

  • Dictionary – this type of attack is the one that is different from brute force. What happens here is that there is a ‘dictionary’ file that contains words it in (I am talking about the default dictionary file that comes with the program; you can always create your own if you want). The program tries all these words one by one to see if they are the password of the file you are attacking. It really is as simple as that. Note that it only tries single words so you will not be able to break something like “movingcar” with dictionary attack because “movingcar” is not a real word but rather the combination of the two. The dictionary attack is actually where I suggest there be improvements made with this program. I really would like the developer to try word combinations instead of just using single words. If the developer would do that it would help lower the dependance on brute force and make password recovery faster because many people do combine words as their passwords.

Note that with dictionary attack you don’t have to chose character sets. With dictionary attack all you do is chose the dictionary file you want to use:

2009-03-09_160236

The default dictionary file (the only one that comes with this program) is already selected so you really don’t even have to worry about that unless you are changing which file you want to use.

So far you chose your recovery/attack type, you are ready to do the recovery. Just hit the 2009-03-09_160414 button to start the recovery process. The progress of the recovery/attack can be monitored via the “Status” portion of the program window:

2009-03-09_161202

The amount of time you wait until the password is recoverd depends on what type of recovery/attack type you used and the length/complexity of the password you are trying to recover. To put it into perspective: last night when I was writing this review I started a recovery process on a ZIP who’s password was “movingcar”. I accidently fell asleep while writing the review (which is why I am just publishing it now) but the password recovery was still left on. When I wake up I notice that the password recovery is still running. To be exact the password recovery was running for 4.5 hours (on normal priority) and it was only up to 5 character combinations meaning that it had only tried 1-4 character combinations and was trying all the 5 character combinations now. 4.5 hours with only the “Latin” and “Digits” character set. If I had more character sets it would have taken even longer. It is safe to say it would have been hours, maybe even days, before the program found “movingcar” as the right password because of how long it was. Of course if I had set just the character set to “Latin” and removed “Digits”, the process would have gone faster but I just wanted to get the point across that password recovery can take a long time. A very long time.

While the password recovery/attack is running you have the choice of giving the program more or less processor priority which will make the program work faster or slower respectively:

2009-03-09_161529

For perspective, at “Normal” my CPU usage was ~50%. I run on Dual Core Duo.

You also have the choice of minimizing the program window to system tray:

2009-03-09_161628

When the password is found, a window will popup telling you so and will tell you what the password is:

2009-03-09_011344

If you have the program minimized to system tray you won’t get the window popup until you open the program again but you will be informed of when the password is found via a popup ballon from the system tray icon:

2009-03-09_013756

In addition to all mentioned above, you have the ability to ‘save’ your recovery/attack and start it up again from the same spot later. Just hit the 2009-03-09_163941, and chose the name and location of your project file. Now whenever you open up the project file and resume the recovery/attack, as long as you don’t change anything in the “Start From” box, the recovery/attack will resume with the password combinations it left off at so you don’t have to start over from the beginning. This feature is pretty handy if password recovery/attack can take a long time and you need to use the computer in between.

Lastly, here are the “Settings” for this program:

2009-03-09_164208

So overall I am giving this program a thumbs up simply because I can’t find a big enough reason for me to give it a thumbs down. However the main changes I would like to see in this program to improve it is the algorithm changes. In addition to the dictionary changes I mentioned above, the developer should do some research as to the most commonly used characters, or character combinations, or passwords, or such and create an algorithm to test those first instead of just throwing everything on brute force. I understand that it may take a lot of effort and money, but you know what, that is what makes one program shine over the other. The research and information is definitely out there – it is just a means of finding it.

Before I go on, let me state that this type of program will become increasingly obsolete as time goes on because everyone is moving away from simple password protection (the type that is very susceptible to these types of programs) and to encryption which is a lot more secure and can’t be broken by programs like ZIP RAR ACE Password Recovery. So enjoy this program while you can.

{rw_verdict2}As mentioned above I am giving this program a thumbs up because I can’t really find a reason not to give it a thumbs up. However, again as I mentioned above, there are some changes I would like the developer to make mainly focused on improving the algorithm used by this program so that the program depends less on brute force (which can take a really long time) and more on intelligent recovery if you get what I mean. As for if I recommend this program or not: I say download it and keep it (it is not a very big program in terms of size) in case you need it in the future. However before using it on a password protected archive ask your self this question: Is the information in that archive worth the amount of time I will have to run the recovery process to attain the password? Remember the amount of time depends on how long and complex the password is. The longer and complex it is, the longer it will take. The time it takes can go into days very easily. Lastly, if you are still using plain old password protection for your archived files, let this program be a reminder that you should move to encryption! Download 7zip and use that to create your archives (you can encrypt and opposed to just password protect).
{/rw_verdict2} –>

Related Posts