Ottawa PC Users' Group, Inc.
 Product Review 


Advanced Office Password Recovery Professional v3.03
by Chris Taylor

Have you ever password protected a document and felt a cold chill at the thought that you might forget your password? Have you ever actually forgotten a password on a document and had to reconstruct it by hand? Do you support other computer users who forget the passwords on their password-protected documents?

If so, you might want to take a look at ElcomSoft’s Advanced Office Password Recovery (AOPR). There are three versions. I took a look at the one that can deal with the most file types – the Professional version.

AOPR Pro can crack the passwords in just about every Microsoft Office document type; Word, Excel, PowerPoint, Access, Outlook, OneNote, Visio, Publisher, Project, Money, MS Backup, Schedule+, MS Mail, and the content advisor in Internet Explorer.

But how easily can it crack passwords? Well, that depends…

Aside: “that depends” is the correct answer to any computer-related question.

I had a PowerPoint file Microsoft posted for one of their web-based seminars. There was nothing particularly secret about the document, of course. But they had put a password on the ability to modify the file. I was sort of shocked when AOPR Pro found the nine-character, lower-case alphabetic password in less than a second.


Then I tried an Access 2000 database file. I had chosen the password for this file and had given it some degree of complexity – ten characters, with upper- and lower-case alphabetics and numerics. Pretty good, I thought. Well, AOPR Pro cracked that in less than a second.

I was starting to wonder…

So I fired up Word 2003 and created a small amount of text. I clicked on Tools | Options | Security and entered a password of ThePasswrd4Open to open the file. I saved the file and verified that Word would not allow me to open the file unless I entered the correct password.

When AOPR Pro tried to crack the password, it chugged away at the file for a couple of minutes and finally reported the File Opening Password for this file cannot be recovered instantly. Ah, this seemed a little more reasonable.

I tried my ten-character, upper- and lower-case, plus numerics password (that I had used for the Access database) on the Word 2003 document. AOPR found it in less than a second. However, it reported that it found the password in its password cache. Aha! Lesson one – if a person password-protects more than one document, there is a good chance they will use the same password for all documents. Easier to remember, but if someone cracks your password in one document, they have access to all your documents! When I cleared the cache, AOPR Pro reported that the password could not be instantly recovered.

Lesson two – not all password-protection schemes are created equally. I don’t know the encryption scheme that was used to protect the Access 2000 database, but it was obviously way less effective than the default for Word 2003. In delving into the options available under Word 2003, I found that there are actually ten different options for encryption, such as Office 97/2000 Compatible and RC4, Microsoft Base Cryptographic Provider 1.0.

The AOPR Pro help file was most informative on different Microsoft document encryption schemes. Remember the instantly-found modify password on the PowerPoint file from Microsoft? Well, the AOPR Pro help file says that, while the Password to Open is a Strong Password and can be recovered only by Brute-Force or Dictionary Attack, the Password to Modify can be recovered instantly. I go back to lesson two – even within a single document, encryption schemes to protect different capabilities such as open vs. modify may be of wildly different strengths.

OK, so let’s assume we go with a strong encryption scheme. How safe are your documents? Well, that depends…

AOPR Pro has the ability to do dictionary attacks with good speed. It ships with a dictionary file of almost a quarter million “words”. So, if you use alexandrianism, asdfghjk, qazwsx, qwerty or untranslatableness as your password, AOPR Pro will crack it in less than 2 minutes – even if you use the encryption scheme RC4, Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider, whatever that is!

AOPR Pro uses plain text files for dictionaries, and there are lots of these files available on the Internet. Besides lots of “normal” dictionaries, you can find specialised dictionary files of hacker lingo, medical jargon, etc.

So if we eliminate weak encryption schemes and weak passwords, are we stuck? Well, that depends…

AOPR Pro can brute force any password, as long as you have enough time. On my desktop – a 2.4 GHz Pentium 4 – AOPR Pro can check over 400,000 passwords per second. If we assume that people are going to use any printable characters (upper- and lower-case alphabet, numerics, and symbols) for their password, that comes to 95 characters. If we look at the possible permutations for passwords and how long it takes at 400,000 passwords per second, we get;

1 character – 95 (instantly)
2 characters – 9,025 (instantly)
3 characters – 857,375 (2 seconds)
4 characters – 81,450,625 (3 minutes)
5 characters – 7,737,809,375 (5 hours 20 minutes)
6 characters – 735,091,890,625 (25 days)

We can see that a 6-character password that is not in any dictionary file, with a strong encryption scheme, is not practical to consider cracking on my computer, right? Well that depends…

AOPR has the ability to customise a brute force attack. For example, if you know the password does not contain numerics, you can eliminate them. Or, if you know the password contains certain characters, you can use a mask to shorten the permutations that must be tried. You can even enter a custom character set to be checked.


Using brute force to recover a password

So, if you have no clue about the password at all, a long, complex password, and a strong encryption scheme was used, it is not practical to crack the password, right? As the saying goes, that depends…

Recently, a flaw in the way Microsoft implemented their encryption was discovered, even when using a strong algorithm such as RC4. If two versions of the encrypted document are available (a not uncommon scenario), the password can be recovered very quickly.

Properly securing a document through encryption is not a simple task. Weak passwords are frequently used and vendors often use weak or flawed encryption schemes. In most cases, if someone forgets their password, a tool such as AOPR can recover the password in short order.

I found the help file for AOPR Pro to be very interesting reading. There is lots of information about the encryption schemes used by Microsoft applications as well as general information about encryption. Elcomsoft has even put their help file up as web page at
http://www.elcomsoft.com/help/aopr/index.html.

While I tested the Professional edition of AOPR, there are also Home and Standard editions that can deal with fewer file types. For details of the capabilities of each version see
http://www.elcomsoft.com/aopr.html.

ElcomSoft also has programs to recover passwords from many different file types such as archives, WordPerfect, Adobe Reader, and more. For details, see
http://www.elcomsoft.com/prs.html.

System requirements:
CPU: Pentium or better
OS: Windows 95 or better
Disk space: 4MB


Bottom Line:

Advanced Office Password Recovery Professional v3.03
from ElcomSoft
AOPR pricing (Canadian dollars at the ElcomSoft web site):

Home Edition – $62.00
Standard Edition – $125.00
Professional Edition – $252.00

Web site:
http://www.elcomsoft.com/aopr.html


Copyright and Usage
Ottawa Personal Computer Users Group (OPCUG), Inc.
3 Thatcher Street, Ottawa, ON  K2G 1S6

The opinions expressed in these reviews may not necessarily
represent the views of the OPCUG or its members.