brianhoskins.uk

rarcrack review

rarcrack

I stumbled across a little program called rarcrack yesterday, which provides brute-force cracking of password protected archives.  I decided to give it a try and make some general observations about it.

An example

To set up an example, I created a .rar with a 5 character password.  The password consists of upper-case letters, lower-case letters, and numerals.  rarcrack does not know ahead of time how many characters the password is, so it has to try all possible combinations.  I set the cracker going, and left it for a while. The next day, over 24-hours later, it was still going and had not cracked the password.  Here’s a sample of the program output this Morning:

Probing: '6tgvK' [1296 pwds/sec]
Probing: '6thwV' [1305 pwds/sec]
Probing: '6tiyi' [1309 pwds/sec]
Probing: '6tjzn' [1303 pwds/sec]
Probing: '6tkAt' [1304 pwds/sec]
Probing: '6tlBu' [1302 pwds/sec]

 So it seems that it has started on 5 character passwords, having completed 4 character combinations.  But it is still working through the 5 character combinations and I can see that it hasn’t got to mine yet because it does numerals first and my password started with a letter.

Some Calculations

Okay, so given the above information, how long can we expect rarcrack to take to crack a 5 character password? The speed is ~1300 attempts per second.  That seems really low to me, but I assume it has something to do with the overhead associated with accessing the .rar file.  Otherwise I would expect a PC as powerful as mine to make a lot more attempts per second than that.

Let’s do some calculations.

How many characters?

We have 26 lower-case letters, + 26 upper-case letters, + 10 numerals =

62 possible characters.

How many combinations?

Easy.  62^5 = 916,132,832.

Best case scenario

The best case scenario is that rarcrack finds the password on its very first attempt at a 5 character word.  That scenario is 62^4 + 1 attempts = 14,776,337 attempts.

14,776,337 ÷ 1300 ÷ 3600 = 3.2 hours.

Worst case scenario

The worst case scenario is that rarcrack finds the password on its very last attempt at a 5 character word.  That scenario is 62^5 = 916,132,832 attempts.

916,132,832 ÷ 1300 ÷ 3600 = 195.7 hours, or 8.1 days!!!

It gets a lot worse very quickly from here!

Okay, so what happens if we add more characters? The situation gets a lot worse very quickly.  Here’s some worst case scenarios for some more characters:

[table id=3 /]

You can see that even an 8 character password takes over 5,000 years to crack.  Wowsers.

A little harsh?

Okay, maybe we’re being hard on rarcrack.  What if we were foolish, and we set a password consisting of only lower-case letters? The worst case for an 8 character password would then be:

26^8 ÷ 1300 ÷ 3600 = 44,621 hours.  Or 5.2 years.

Still a very, very long time.

Conclusion

rarcrack is an interesting program, but at the current speeds I can achieve with it the program is useless except for passwords consisting of 5 or less characters.

 

Brian J Hoskins

,

Leave a Reply

Your email address will not be published.