info
The password discovery and cracking approach described in the article isn’t new, but it is indeed used by several security and intelligence services to apprehend criminals.
A Kind Word—and a Gun
Of course, law enforcement starts with persuasion. “You’re not leaving until you unlock your phone,” they tell the detainee, sliding over a document that states in black and white that “the bearer is authorized to inspect the contents of mobile devices.” What the document doesn’t say is that the detainee is required to unlock their phone. That doesn’t stop the authorities from brazenly claiming a power they don’t actually have.
Hard to believe? Not really: the latest case happened just the other day. Sidd Bikkannavar, a U.S. citizen who works at NASA, was detained at the border while entering the country; with a “kind word and a gun,” he was persuaded to unlock his corporate smartphone.
Yes, you’re not required to testify against yourself or hand over your passwords. That principle is vividly illustrated by yet another case: a suspect in a child pornography investigation has been jailed for 16 months for refusing to disclose the passwords to his encrypted drives. Presumption of innocence? Never heard of it.
Still, you can’t apply those measures all the time or to everyone. You can’t throw a petty scammer, a romance fraudster, or just someone hoarding music “for later” in jail without solid evidence—any more than you can a serious criminal with money and lawyers. You still have to decrypt the data and crack the passwords. And while in cases involving major crimes and national security threats (terrorism) experts’ hands are untied and there are virtually no constraints (financial or technical), in the remaining 99.9% of cases the examiner is tightly constrained by the lab’s available computing power and by strict time limits.
What about Russia? At the border they don’t force you to unlock your devices yet, but… I’ll quote an expert who specializes in extracting data from detainees’ phones and computers: “The most effective way to get the password is to phone the investigator.”
What’s Possible in 45 Minutes? What About Two Days?
Movies aren’t always wrong. At one expo, a man walked up and I immediately pegged him as a precinct commander: big, bald, and Black. His badge confirmed it. “I’ve got about two hundred of these… iPhones at the station,” he opened right away. “What can you do in 45 minutes?” I’d never had a question framed like that before. Back then (three years ago), phones without fingerprint scanners were still common, the Secure Enclave had only just appeared, and jailbreaking usually wasn’t a problem. But the question stuck with me like a splinter. Really, what can you do in 45 minutes? Technology moves on, defenses get tougher, and the police don’t get any more time.
In low-stakes cases where a user’s phone or computer is seized “just in case” (say, after a disorderly conduct arrest), investigators typically lack the time, energy, and often the specialized staff to break the passcode. Can’t unlock the phone in 45 minutes? They move on to more traditional forms of evidence. If they fought to the bitter end over every encrypted device from every petty offender, there’d be no resources left for anything else.
In more serious cases—when the suspect’s computer is also seized—investigators may step up their efforts. The resources allocated to cracking it will depend on the country, the severity of the offense, and how critical the digital evidence is.
In conversations with police from various countries, the figure “two days” came up most often, with the understanding that the job would run on an existing cluster of a few dozen machines. Two days to crack passwords protecting, say, BitLocker volumes or Office 2013 documents—doesn’t that seem too short? Turns out, it isn’t.
How they do it
Law enforcement has had password-extraction tools for a long time, but only recently have they learned to use them effectively. For example, they’ve always been interested in passwords they could pull from a suspect’s computer, but early on they did it by hand, then with single-purpose utilities that might retrieve only an ICQ password or only Outlook account passwords. In the past few years, though, they’ve moved to all‑in‑one tools that scan the hard drive and the Windows Registry and dump all discovered passwords to a file.
In many cases, police turn to private forensic labs—for both routine work and high‑profile investigations (a not‑so‑subtle nod to the San Bernardino case). These private firms are willing to use decidedly “hackerish” methods: as long as the original data isn’t altered and no traces of tampering are left, the way a needed password was obtained doesn’t really matter. In court, an expert can invoke trade‑secret protections and refuse to disclose the technical details of the break‑in.
Real-World Stories
Sometimes you have to move fast: the bottleneck isn’t resources, it’s time. In 2007 our lab got a case about a missing 16-year-old. The parents had contacted the (then) militsiya—the police—who brought us the teen’s laptop. It was password-protected, and we couldn’t spend months brute-forcing it. We worked in parallel: created a disk image, started a Windows password attack, and searched the disk for stored credentials. Using Elcomsoft Internet Password Breaker, we recovered the email password. There wasn’t anything useful on the computer itself, and nothing in the inbox helped directly, but the mailbox let us reset the ICQ password. The chat history with friends revealed which city the teen had gone to and who they were staying with. It ended well.
But not every story has a happy ending. A few years ago, a French private investigator reached out to our lab. The police had asked for his help: a well-known athlete had gone missing. He’d flown to Monaco, and the trail went cold after that. The investigators had his computer. Examining the drive, they found iTunes and the iCloud Control Panel, which suggested he used an iPhone. They tried accessing iCloud: the password was unknown, but an authentication token extracted from the iCloud Control Panel worked.
Unfortunately, as is often the case, the cloud backup contained no clues about his whereabouts, and it had been created roughly six weeks earlier. A careful review of the system turned up the email password—saved in Notes, the classic “yellow sticky note” approach. They logged into his email and found a hotel reservation. The police moved quickly… Sadly, the story ended badly: the athlete was found dead.
Let’s get back to our two-day hacking window. What can you actually accomplish in that time?
How Useful—or Useless—Are Strong Passwords?
I’m sure you’ve heard countless tips on picking a “strong” password: minimum length, letters and numbers, special characters… But how important is that really? And will a long password actually protect your encrypted volumes and documents? Let’s find out!
Let’s start with a bit of theory. No, we’re not going to trot out the mantra about long, complex passwords again, and we’re not even going to tell you to use a password manager. Let’s just look at two images:
As you can see, the brute‑force rate for BitLocker volumes is only about 860 passwords per second when using hardware acceleration with an NVIDIA GTX 1080 (which is actually quite fast). For Microsoft Office 2013 documents, the number is higher—around 7,100 passwords per second. What does that mean in practice? Roughly this:
On a very fast machine with hardware acceleration, a five-character alphanumeric password can be cracked in a day. If that same five-character password includes even one special character (punctuation, #$%^, etc.), cracking it would take two to three weeks. But five characters is too short. The average password length today is eight characters, and that’s already well beyond the computing power of even the most capable clusters available to law enforcement.
Still, most passwords do get cracked—and usually within two days or even faster—regardless of their length or complexity. How is that possible? Are the police, like in the movies, guessing the suspect’s dog’s name and his daughter’s birth year? No. The reality is simpler and more effective when you look at statistics rather than one-off cases. From a statistical standpoint, it’s more efficient to use approaches that work for the majority of targets, even if they don’t pan out in a specific case.
How many passwords do you have?
I did the math: I have 83 unique passwords. How unique they truly are is a separate conversation; for now, let’s just note it’s 83. The average user has far fewer. Surveys show the average English‑speaking user has 27 online accounts. Can such a person remember 27 unique, cryptographically strong passwords? Statistically—no. Roughly 60% reuse about a dozen passwords with small tweaks (password, password1, and fine—Password1234 if the site demands something long and “complex”). Intelligence agencies shamelessly exploit this.
If you have access to a suspect’s computer, extracting a dozen or two passwords is just a matter of technique and a few minutes’ work. For example, you can use Elcomsoft Internet Password Breaker, which pulls saved passwords from browsers (Chrome, Opera, Firefox, Edge, Internet Explorer, Yandex) and email clients (Outlook, Thunderbird, and others).
You can simply browse through the password stores, or click Export—within seconds, all available passwords from all supported sources will be extracted and saved to a text file (duplicates removed). That text file becomes a ready-made wordlist, which can then be used to crack the passwords protecting files with strong encryption.
Suppose we have a file named P&L.docx extracted from a user’s computer, along with a list of their passwords from several dozen (or even hundreds of) accounts. We can try those passwords to decrypt the document. Pretty much any password‑cracking tool that supports the MS Office 2013 document format will work. We typically use Elcomsoft Distributed Password Recovery.
The attack unfolds in three phases. In the first phase, we simply use the wordlist as-is.
This step takes a fraction of a second; the odds of success right then and there are about 60% for an average user (not a hacker, IT pro, or cybercriminal).
Second phase: use the same wordlist of the user’s passwords, but append numbers from 0 to 9999 to the end of each entry.
Finally, the third stage uses the same document and the same wordlist, but runs variations (“mutations” in EDPR terminology). The screenshot shows the list of available mutations:
It’s tempting to enable all of them, but there’s little practical benefit. It’s better to analyze how a specific user chooses passwords and what variations they actually use. Most often that means one or two uppercase letters (a medium-strength case/capitalization variation), one or two digits inserted anywhere in the password (a medium-strength digit variation), and a year, typically appended to the end (a medium-strength year variation). That said, at this stage it’s still worth reviewing the user’s passwords and taking into account the variations they personally use.
At stages two and three, about one in ten passwords typically gets cracked. For an average user, the overall chance of decrypting the document is around 70%; the attack takes virtually no time, and password length and complexity make no difference whatsoever.
Exceptions to the Rule
If one user protects files and accounts with the same passwords, that doesn’t mean you’ll get lucky every time. For example, in one case a suspect stored passwords as contact names in their phone book; in another, the password list matched the names of encrypted files. In yet another case, files were encrypted using the names of the suspects’ vacation spots. There’s no tool that can automate all such scenarios: even a filename often has to be added to a wordlist by the investigator manually.
Length Doesn’t Matter
When it comes to password length and complexity, most users don’t like to bother. And even if almost everyone did use passwords of maximum length and complexity, it wouldn’t slow down attacks that rely on dictionaries built from data breaches.
If you follow the news, you’ve probably heard about the password database leaks from Yahoo (three times in a row!), LinkedIn, eBay, Twitter, and Dropbox. These services are hugely popular, and in total, tens of millions of accounts were exposed. Attackers did the heavy lifting, cracking the majority of the hashed passwords, and Mark Burnett pulled the breaches together, analyzed them, and drew some fascinating conclusions. According to Mark’s data, there are clear patterns in the passwords chosen by English-speaking users:
- 0.5% use the word “password” as their password;
- 0.4% use the strings “password” or “123456” as their password;
- 0.9% use “password”, “123456”, or “12345678”;
- 1.6% use a top-10 most common password;
- 4.4% use one from the top 100;
- 9.7% use one from the top 500;
- 13.2% use one from the top 1,000;
- 30% use one from the top 10,000.
Mark didn’t go any further, but we extended his approach using a list of the 10 million most popular passwords. According to our data, only 33% of users use passwords from this list, and the attack duration increases by three orders of magnitude.
What can we do with this information? Armed with statistics and a wordlist of the 10,000 most common passwords, you can try to decrypt a user’s files and documents even when you know nothing about the user (or you simply couldn’t access the computer to extract their actual passwords). A basic attack using a list of just 10,000 passwords helps investigators in roughly 30% of cases.
70 + 30 = 100?
In the first part of the article, we used a dictionary built from the user’s own passwords (plus small mutations) to mount the attack. Statistics show this works in about 70% of cases. The second method is to use a top-10,000 password list from online leaks, which, again according to the stats, has about a 30% success rate. 70 + 30 = 100? Not in this case.
Even if a “typical” user reuses passwords, and even if those passwords appear in breaches, there are still no guarantees. Offline data, encrypted volumes, and documents may be protected by completely different passwords; no one has measured how likely that is. In computer crime investigations, you’re also more likely to run into users who don’t fit the “average” mold. So claiming that 30% or 70% of any user’s passwords can be cracked in minutes (a prior probability) isn’t quite accurate. Reporting a 70% success rate after the fact (a posterior probability), however, is fair.
These fast, easily automated, and fairly predictable methods are exactly what law enforcement tends to favor when a “kind word and a gun” doesn’t do the trick.
Is that all?
Of course, it doesn’t stop with the attacks already listed. Custom dictionaries come into play—both popular-password lists and dictionaries for English and local languages. Typically, variations are used; there’s no single standard here. In many cases they’ll also resort to good old brute force: a cluster of twenty workstations, each outfitted with four GTX 1080s, can try about 500,000 passwords per second for the Office 2013 format, and over 2,000,000 per second for RAR5 archives. At those speeds, you can actually get work done.
Naturally, account passwords extracted from a suspect’s computer don’t always help decrypt files or encrypted containers. In such cases, police don’t hesitate to use other methods. For example, in one case investigators ran into encrypted data on laptops where the system drives were protected with BitLocker Device Protection paired with a TPM 2.0 module.
Attacking this protection head-on is pointless; there’s no user-set password to target. What helped was analyzing another device the user had signed into with the same Microsoft account. After recovering that Microsoft account password, decrypting the system drive was just a matter of routine. In another case, data from the encrypted laptops was found on a server in the clear.
How to protect yourself? Start by auditing your passwords. Try to reproduce everything we demonstrated. If you can crack the password to a document, archive, or encrypted volume in a few minutes, take the hint and fix it. If you can’t, remember there’s always social engineering.