ph33r my l33tn3ss

Ok, this is kind of embarassing... About nine years ago, it seems that I PGP-encrypted some of my archived mail files (maybe because the files were on computers at work? I don't remember doing it, let alone why.) Anyway, I can't remember the passphrase, and it's not in /usr/dict/words. Chances are I picked a moderately-good password, and possibly even a long one.

What tool should I use to brute-force it?

I found a program called "pgpcrack" by Mark Miller, but it wants to be given a list of every passphrase to try. I think I need something more brutish than that.

Tags: , , , ,
Current Music: Elastica -- 2:1 ♬

49 Responses:

  1. Can't John the Ripper be told to spit out a list of attempts without actually dealing with a password file directly? I seem to recall that...

    Anyway, feed that to pgpcrack.

    • jwm says:


      A glance at the manpage says "no", but you can buy CDs of wordlists from their website, or download reduced words lists from their mirrors.


      • Oh, sheesh. The damn wordlists are in there somwhere, dammit. (They may be in Berkeley DB format or something, though.)

      • Oh, wait, JtR is the one that builds its wordlists from your local /usr/dict/words, contents of the GECOS fields in /etc/passwd, and anything else you feed it upon install, isn't it? I must have been thinking of something else...

        Well, it still might be possible to feed it a reasonable corpus (like, say, the rest of <lj user=jwz>'s mail archive) and then extract the wordlist from its DB format, but that's a bunch of stupid work.

        • jwm says:


          That's the one. Personally, I'd snag an 11Mb wordlist from their mirror and see if pgpcrack likes it before breaking out the perl.


          • jwz says:

            Looks like pgpcrack gets false positives; with the 11Mb file, it will often come up with a dozen results, none of which actually work (pgp itself starts decrypting then gets an error part way through.)

            Meanwhile I'm sitting here trying to remember every password I've ever used. Gaah, this is so frustrating!

    • rbeef says:

      john -incremental -stdout

      pipe that to pgpcrack

  2. Um... you do still have the private key, right? Because if not, you're really screwed...

  3. geektalk says:

    If you try every combination of letters and digits (62 possible characters), up to 8 characters, that's 222 trillion combinations. I think that it would be fairly slow to test, so lets figure 1,000,000 attempts per second.

    That's 7 years to run through all the combinations, for an average of 3.5 years to break open the file.

    If you don't have some list of less-brutish passphrases to start from, you might be looking at a pretty tough task...

    • geektalk says:

      Oh, just passphrase encryption might be orders of magnitude faster, so maybe nevermind.

    • lars_larsen says:

      Yeah, I lost the passphrase to an SSL cert once. I tried to brute force it. Then I did the math and figured out it would take years. Its absolutely pointless. I just had to pay for a new cert.

  4. suppafly says:

    hopefully someone from the cia or fbi will read this post and help you out..

  5. eqe says:

    Unless you can restrict the charset, you're fucked. You're contemplating trying every string <15 characters matching [a-zA-Z0-9]* (probably plus some punctuation); call it 68^15 or around 2^90 possible combinations.

    The folks at solve a similar problem for MD5 on [a-z0-9]* N<=8 and are pushing the limits of what's reasonable. According to a mailing list post, some French researchers did 2^50 hash evaluations in 20 days on 160 Itanium processors, so multiply that by 2^(90-50) = 1099511627776 and you're looking at... 60 million years on 160,000 CPUs. (Assuming you can answer "is this the right passphrase?" just as quickly as their MD5 hash.)

    So the problem becomes, how do you generate a stream of possible passphrases to feed to pgpcrack. I dunno what the answer is, but whoever comes up with a serious result in this area is going to be famous.

    • He's already suggested that we can restrict the search space to Real English Words, give or take some l33t speak, which narrows things significantly. The way may still be months, but that might be worth it.

    • granting says:

      Their MD5 hash crack was based on a birthday attack, which invalidates it for finding a password.

  6. strdup says:

    Hey, the passphrase is in your brain somewhere...

    Get hypnotized?

  7. naturalborn says:

    That's what you get for not using 2-rot-13.

  8. enceladus says:

    That's what you get for using that inferior UNIX. Had you just used Windows, this problem could have been avoided. I present you with my two main reasons why this would not have happened with Windows.

    1) The PGP implementation on Windows would have had a major flaw in the way it encrypts thus making it easy enough for a 3rd grader to crack the password.

    2) You wouldn't have the archives in the first place. they would have been lost to a virus through either corruption or a late night reinstall fest.

  9. jabber says:

    This might be a silly question, but, have you checked the under-side of your keyboard for a post-it note with the password on it?

  10. dominobutter says:

    this is an opportunity for you to create a new xscreensaver module to distribute the brute-force attack.

    i've got plenty of spare CPU cycles i'd send your way.

  11. a_lad_inane says:

    Try "dioisgod1984".

  12. granting says:

    I need more detail please. Did you use PGP Disk File 4.0 or PGP Secret Key Ring?

  13. granting says:

    Oh, or is it PGP Disk 4, 5, or 6?

    • jwz says:

      "PGP 2.6.3ia, 1996-03-04 International version." The files were encrypted from emacs crypt.el, which appears to use "pgp +batchmode +verbose=0 -c -f -z".

      Actually these might have been encrypted with a slightly older version of PGP (but not more than a year or two older.)

      • jesus_x says:

        Damnit. I keep forgetting that 8 years ago WASN'T THAT LONG AGO anymore... 1996. I keep forgetting it isn't 1996 NOW...

      • granting says:

        Yeah okay, I do know of a program that will do it... at least the current beta does. I'll have to check on the release version.

        Is price much of an issue?

        • jonabbey says:

          This will be good, thinks I.

          • granting says:

            I know jwz has the money, that does not correspond to him wanting to spend it for this.

            • jonabbey says:

              Oh, I wasn't expressing concern about the money, either. Rather, I was wondering what sort of software you might possibly be able to offer up. The whole point of PGP/GPG is that if you don't know the passphrase, you are very sincerely and intentionally SOL.

              Therefore, and given that no one on the net seems to be saying that they have managed to crack PGP/GPG, I mistrust your ability to come up with something helpful.

              On the other hand, I'd love to know more if you think you know something most techies don't.

              • granting says:

                There is no program to my knowledge that "cracks" PGP. There are programs that will perform an intelligent brute force attack on PGP.

                That's what jwz said he was looking for, and that's what I sent him via e-mail.

                The knowledge level of other techies is not my concern.

        • jwz says:

          Well, I'd want to know what I was buying first and whether it was likely to work any better than the junk I'm already trying...

  14. inoah says:

    This happened to me once (actually I forgot the passphrase to my private key, but the end result was similar). I'd given up, but a couple of years I tried one more time--and it worked!

    It turns out that all along I had mispelled the passphrase, but since I was touch typing I never noticed. I only recovered it by accident.

    So anyway, you might take the passwords you've used in the past and try some qwerty variations.

  15. violentbloom says:

    didn't I tell you the story of how I did that?
    dork. delete the file. You haven't used it in a decade there is nothing there you need.
    by the way I tried all kinds of shit to get the password and nothing worked. but then again I did it back in the mid nineties so maybe there's tools to help more now. The sick part is that I know I was within one or two characters of knowing what password I used. Now of course I use much more complicated weird passwords that I wouldn't even have hope of remembering. Amd actually forgot a bunch of ones for the servers at work over my east coast trip and that was bad.

  16. iota says:

    Keep in mind that PGP passphrases are generally multiple words, so you might want to try combinations of dictionary words, etc. Try to think back, what was on your desk at work when you encrypted that file? Your passphrase might be something like "phone keyboard stack-of-money keys-to-helicopter stock-options-package". You might want to try, I'm sure that everyone there would know who you are and be willing to help.

    Also, this quote from The PGP Passphrase FAQ makes me laugh: "You can't trust Windows 3.x, Windows 95, OS/2, and any other operating system that swaps memory to the hard drive or that uses virtual memory."

  17. armoire_man says:

    I just threw the I Ching for you, and there's an astoundingly pertinent interpretation of the hexagram in the newly updated Baynes/Willhelm interpretation from Bollingen Press:

    Thunder over the lake
    Delete the encrypted file
    It furthers the superior man to move on with life

  18. gwenix says:

    I have a mysql install that I remember the mnemonic for, but not the precise spelling/caps/etc I used for it. Fortunately in my case, I can just use this as an excuse to just reinstall mysql. But alas, you don't have that option.

    OTOH, do you even vaguely remember the passphrase? I'm assuming not given the need for uberbruteforce, but unfortunately that does seem like it might be your best shot. Perhaps make a list of likely things you would have used then, and markov chain play with them for feeding into pgpcrack?