I stumbled across a little program called rarcrack yesterday, which provides brute-force cracking of password protected archives. I decided to give it a try and make some general observations about it.
To set up an example, I created a .rar with a 5 character password. The password consists of upper-case letters, lower-case letters, and numerals. rarcrack does not know ahead of time how many characters the password is, so it has to try all possible combinations. I set the cracker going, and left it for a while. The next day, over 24-hours later, it was still going and had not cracked the password. Here’s a sample of the program output this Morning:
Probing: '6tgvK' [1296 pwds/sec]
Probing: '6thwV' [1305 pwds/sec]
Probing: '6tiyi' [1309 pwds/sec]
Probing: '6tjzn' [1303 pwds/sec]
Probing: '6tkAt' [1304 pwds/sec]
Probing: '6tlBu' [1302 pwds/sec]
So it seems that it has started on 5 character passwords, having completed 4 character combinations. But it is still working through the 5 character combinations and I can see that it hasn’t got to mine yet because it does numerals first and my password started with a letter.
Okay, so given the above information, how long can we expect rarcrack to take to crack a 5 character password? The speed is ~1300 attempts per second. That seems really low to me, but I assume it has something to do with the overhead associated with accessing the .rar file. Otherwise I would expect a PC as powerful as mine to make a lot more attempts per second than that.
Let’s do some calculations.
How many characters?
We have 26 lower-case letters, + 26 upper-case letters, + 10 numerals =
62 possible characters.
How many combinations?
Easy. 62^5 = 916,132,832.
Best case scenario
The best case scenario is that rarcrack finds the password on its very first attempt at a 5 character word. That scenario is 62^4 + 1 attempts = 14,776,337 attempts.
14,776,337 ÷ 1300 ÷ 3600 = 3.2 hours.
Worst case scenario
The worst case scenario is that rarcrack finds the password on its very last attempt at a 5 character word. That scenario is 62^5 = 916,132,832 attempts.
916,132,832 ÷ 1300 ÷ 3600 = 195.7 hours, or 8.1 days!!!
It gets a lot worse very quickly from here!
Okay, so what happens if we add more characters? The situation gets a lot worse very quickly. Here’s some worst case scenarios for some more characters:
|Num Characters||Hours to crack||Days to crack||Years to crack|
You can see that even an 8 character password takes over 5,000 years to crack. Wowsers.
A little harsh?
Okay, maybe we’re being hard on rarcrack. What if we were foolish, and we set a password consisting of only lower-case letters? The worst case for an 8 character password would then be:
26^8 ÷ 1300 ÷ 3600 = 44,621 hours. Or 5.2 years.
Still a very, very long time.
rarcrack is an interesting program, but at the current speeds I can achieve with it the program is useless except for passwords consisting of 5 or less characters.