KoreLogic provides highly skilled cyber security services to Fortune 100 companies and the U.S. Government. High performance password cracking for encrypted file recovery, compliance audits, and penetration testing.

Password Recovery Service

This service provides you with the ability to:

  • Recover access to locked business-critical documents.
  • Quantify reduction in security risk from discovering and removing weak passwords used throughout your enterprise.

Since 2009, KoreLogic's password cracking team has played a critical role in improving the methods, techniques and tools used to crack password hashes. We run the recurring Crack Me If You Can contest and sponsor a Password Village at DEF CON, and have released tools such as PathWell. This expertise is integral to the PRS's ability to unlock hard-to-recover passwords and provide means to easily and repeatably audit enterprise password compliance, where conventional password cracking tools and services often fall short or deliver fewer results.

Examples of PRS In Action

KoreLogic provides PRS to Fortune 500 firms, small businesses and to individuals such as described below:

  • Fortune 500 Legal Team: Asked to recover encrypted files from a CD used by a former employee of an acquired company. We reverse-engineered the proprietary encryption used on the CD to gain access to the files.
  • Law Firm: A firm was processing thousands of password-protected Microsoft Office and PDF documents for eDiscovery. After the firm's use of a commercial password cracking software proved ineffective, they engaged KoreLogic's PRS. We accomplished more in days than they had managed in months.
  • Fortune 500 Food and Beverage Company: Cracked 99.8% of 260,000 password hashes. Passwords complied with documented policies, but those policies did not prevent major trends and predictable user behavior. Also identified administrators abusing their privileges to reuse passwords, evading password history controls.
  • Small Business Owner: A couple ran a small business together; the husband did all the bookkeeping and kept all their business and personal financial account information in an encrypted spreadsheet. When he passed away suddenly, his wife was unable to access any of the information or shared accounts. Fortunately, we were able to decrypt that spreadsheet, saving her hours of effort and immeasurable frustration.
  • A Major Retailer: Leveraged PRS to get an understanding of their user compliance and to satisfy audit requirements. 84% of the organizations' 11,000 user passwords were found in 24 hours, leading to policy change discussions that ended with a revamp of their security policies.
  • Taxpayer: A private citizen being audited by the Internal Revenue Service (IRS) urgently needed to access a pair of password-protected PDF files containing information relevant to the audit. After a number of unsuccessful attempts to recall/guess/recover the passwords, the individual turned to the Internet, and his research led him to us. PRS recovered his passwords in a fraction of a compute hour (i.e., mere minutes). Needless to say, the man was extremely grateful for our help.
  • Fortune 500 Financial Company: A number of business units within the company under a tight deadline to identify and register all production macros were hindered in their efforts to comply due to protections placed (possibly by the original developers) on production files (predominantly Excel spreadsheets and Access databases). These protections, designed to prevent unauthorized access and/or modification, included file, workbook, worksheet, and macro passwords. In response to the request for help, we adapted PRS to produce a new offering called the Macro Recovery Service (MRS). MRS was subsequently deployed within the client's environment as a web-based, self-serve kiosk. One key factor in our success was our ability to dig into each file protection mechanism and come up with an approach that would have the least impact on the structure/integrity of the original file.
  • Not Just Passwords: Flaws identified in the firmware of a peripheral device undergoing black-box security testing led us to hypothesize that a brute force attack could be mounted against the wireless protocol used to communicate with the host system even though it was protected with 128-bit AES encryption. To confirm our theory, we created a custom attack program and deployed it on our distributed cracking grid. Within two hours, the results were in: the cryptosystem as implemented was broken. The implications were severe (i.e., unauthorized access possible), global in scope (i.e., all devices affected), and invariant over time (i.e., all previous wireless traffic, if captured correctly/completely, could be decrypted at will).
  • Not Just Password Recovery: We have been and continue to be open to supporting the research community. In 2014, for example, we conducted a pilot study consisting of four separate trials for a research effort led by Carnegie Mellon's CyLab Usable Privacy and Security (CUPS) team. Results and conclusions drawn from that work are documented in Measuring Real-World Accuracies and Biases in Modeling Password Guessability.

Quantifying The Risk Posed By Weak Passwords

Access to digital assets often depend on passwords chosen by end users - history shows that to be problematic. Despite having otherwise effective security controls, one weak user/administrator password typically is all an attacker needs for a toehold.

PRS helps improve security and compliance by:

  • Identifying password patterns which, if eliminated, increases resistance to attack
  • Providing insight into how passwords are being chosen by users and how to improve them
  • Providing evidence of compliance with your password related policies
  • Mapping historical data to trend user and administrator compliance with password policies

Recovery Of Password-protected Files

PRS can recover plaintext passwords for or remove protection from encrypted files (e.g., PDF, Microsoft Word documents or Excel spreadsheets, accounting systems such as QuickBooks and Microsoft Money, archives such as ZIP, DMG, iTunes backups, Bitcoin or Ethereum wallets, etc.) for any number of possible legitimate uses such as restoring access to password protected documents containing critical information, supporting internal investigations, eDiscovery requests, etc.

Recovery Of Password-protected Online Accounts/Services

PRS does not support recovery of passwords for online accounts and services (e.g., Gmail, Amazon, Facebook, LinkedIn, etc.).

Requesting PRS

Our goal is to make password recovery accessible for everyone from individuals and small businesses to the Fortune 100.

  • We will require some written attestation that you 1) are not engaging or causing KoreLogic to engage in any illegal activity and 2) have a legal right to recover the password(s) that are the subject of your request.
  • For individuals or one-time engagements, we support payment via PayPal. Other forms of payment (e.g., checks, cryptocurrencies, etc.) are not accepted at this time.
  • For a typical encrypted file recovery or password-cracking effort, there is a one-time setup fee of $250 USD, and compute time costs $1, $2, or $5 USD per hour depending on whether you request normal, high, or urgent priority handling, respectively. We do have long-term rates for special requests that may run for weeks or months.
  • Initially, we will recommend a block of compute hours to get the recovery effort started (e.g., 100, 500, etc.). Factors that play into this recommendation include your budget, the number of passwords that must be recovered, quality of password hints that you provide, and the encryption/hash algorithm(s) used. Some algorithms can be calculated very quickly. Hence many guesses can be made in a short period of time. Others are slower, so the number of guesses per unit time will be reduced. As a general rule, algorithms can be calculated faster on GPUs than on CPUs. However, not all algorithms are currently supported by the GPUs on our cracking grid. Before agreeing to take on your request, we will confirm that the algorithms used are supported on our cracking grid.
  • Labor is billed at our current rate on an as-needed basis. You will be notified in advance if there's an anticipated need for additional labor. Generally, this only comes up if there are circumstances that require custom work (e.g., uncommon algorithm or file type, corrupt or partially complete data, software modifications needed, etc.).
  • Enterprise customers may prefer to enter into a traditional contract arrangement, use the service on a recurring basis, etc.
  • For engagements such as recurring enterprise-wide password audits or bulk password recovery, deploying a dedicated hardware or virtual appliance on customer premises is an option; contact us for more details.
Contact the PRS Team [PGP key] with a brief description of your password or file recovery needs. Please include your contact information (i.e., first/last name, phone number, company/business name, etc.) and indicate whether your inquiry/request is personal or professional in nature. Since we have limited time/resources, requests that do not provide the requested information are likely to go unanswered.