How Law Enforcement Experts Crack Passwords
Hackers, scammers, IT security professionals, investigators, and intelligence agencies-all of them, under certain circumstances, may try to access information protected by passwords. While the tools used by hackers and intelligence agencies are largely the same, their approaches differ dramatically. Except for rare high-profile cases where massive resources are deployed, law enforcement experts usually work under strict limitations in terms of both resources and the time they can spend cracking a password. This article explores the methods law enforcement uses to crack passwords and how their approach differs from that of hackers.
Persuasion and Pressure
Law enforcement typically starts with persuasion. For example, they might tell a detainee, “You’re not leaving until you unlock your phone,” while presenting a document stating their right to search the device. However, such documents rarely mention any obligation for the detainee to unlock the device. Still, authorities often take advantage of rights they don’t actually have.
It may sound unbelievable, but it happens. For instance, Sidd Bikkannavar, a NASA employee and U.S. citizen, was recently detained at the border and persuaded to unlock his corporate smartphone using this very tactic.
Legally, you are not required to incriminate yourself or reveal your passwords. This is illustrated by the case of a suspect in possession of child pornography who spent 16 months in jail for refusing to provide passwords to encrypted drives. Presumption of innocence? Not always observed.
Such measures aren’t always possible or effective, especially with minor offenders or well-defended suspects. In most cases, authorities must decrypt data and crack passwords themselves. While experts working on cases involving serious crimes or national security threats may have virtually unlimited resources, in 99.9% of cases, they are strictly limited by the computing power and time available in their labs.
In Russia, for example, border agents don’t yet force people to unlock devices, but as one digital forensics expert put it, “The most effective way to get a password is a call from the investigator.”
What Can Be Done in 45 Minutes? Or Two Days?
Movies aren’t always wrong. At a tech expo, a police chief once asked, “I have about 200 iPhones at my station. What can you do in 45 minutes?” A few years ago, before fingerprint scanners and Secure Enclave became widespread, jailbreaking was often possible within that timeframe. But as security improves, police still don’t get more time.
In minor cases, when a phone or computer is seized “just in case,” investigators rarely have the time, resources, or expertise to crack passwords. If a device can’t be unlocked in 45 minutes, they move on to other evidence. It’s not worth exhausting resources on every encrypted device from every minor offender.
In more serious cases, especially when a suspect’s computer is seized, more effort may be invested. The resources allocated depend on the country, the severity of the crime, and the importance of digital evidence. In conversations with police from various countries, “two days” is often cited as the typical time allotted for password cracking using a cluster of a few dozen computers. Is two days enough to crack, say, BitLocker or Office 2013 passwords? Surprisingly, yes.
How Do They Do It?
Law enforcement has always had password-cracking tools, but only recently have they learned to use them effectively. Initially, they manually extracted passwords or used single-purpose utilities (e.g., for ICQ or Outlook). In recent years, “all-in-one” tools have become standard, scanning hard drives and registries to save all found passwords to a file.
Police often use private forensic labs for both routine and high-profile cases (such as the San Bernardino case). Private experts may use “hacker” methods, and if the original data isn’t altered and no traces are left, the method used to obtain the password doesn’t matter-experts can cite trade secrets in court and refuse to disclose technical details.
Real-Life Stories
Sometimes, speed is critical. In 2007, a lab received a request to help find a missing 16-year-old. The police brought in the teen’s password-protected laptop. There was no time for months of brute-forcing. The team imaged the disk, launched a password attack on Windows, and searched for passwords on the drive. Using Elcomsoft Internet Password Breaker, they found the email password, which allowed them to reset the ICQ password. Chat logs revealed where the teen had gone, and the case ended well.
Not all stories end happily. In another case, a French private investigator was asked by police to help find a missing athlete. The athlete’s computer revealed iTunes and iCloud Control Panel, indicating he had an iPhone. They managed to extract an authentication token from iCloud Control Panel, but the cloud backup was outdated and contained no clues. However, a password saved in the notes (the classic “yellow sticky note” method) led to the athlete’s email, where a hotel reservation was found. Unfortunately, the athlete was later found dead.
So, what can be accomplished in two days?
How Effective Are Strong Passwords?
You’ve probably heard advice about choosing “strong” passwords: minimum length, letters, numbers, special characters. But does it really matter? Will a long password protect your encrypted volumes and documents?
Let’s look at some numbers. Using a high-end Nvidia GTS 1080 GPU, BitLocker volumes can be tested at 860 passwords per second, and Office 2013 documents at 7,100 passwords per second. On a fast computer, a five-character alphanumeric password can be cracked in a day. Add a special character, and it might take two to three weeks. But five characters is short-today’s average password is eight characters, which is beyond the reach of even the most powerful police clusters.
Yet, most passwords are still cracked within two days or less, regardless of length or complexity. How? Not by guessing pet names or birth years, but by using statistical methods that work in most cases.
How Many Passwords Do You Have?
I counted: I have 83 unique passwords. The average user has far fewer. Surveys show the average English-speaking user has 27 online accounts. Can they remember 27 unique, complex passwords? Statistically, no. About 60% use a handful of passwords with minor variations (password, password1, Password1234, etc.). Law enforcement takes full advantage of this.
If investigators have access to a suspect’s computer, extracting a dozen or more passwords takes just minutes. Tools like Elcomsoft Internet Password Breaker can pull passwords from browsers (Chrome, Opera, Firefox, Edge, Internet Explorer, Yandex) and email clients (Outlook, Thunderbird, etc.). All found passwords can be exported to a text file, which becomes a ready-made dictionary for cracking more secure files.
Suppose you have a file (e.g., P&L.docx) and a dictionary of the user’s passwords. Most password-cracking programs that support MS Office 2013 can use this dictionary. The attack proceeds in three stages:
- Use the dictionary as-is. This takes seconds and succeeds about 60% of the time for average users.
- Append numbers (0-9999) to each password in the dictionary.
- Apply “mutations” (e.g., changing case, adding digits or years) based on the user’s password habits.
Stages two and three typically crack one in ten passwords. Overall, there’s about a 70% chance of decrypting a document from an average user, regardless of password length or complexity.
Exceptions to the Rule
Not every user reuses passwords. Some use contact names, file names, or vacation spots as passwords. There are no tools to automate all such cases; sometimes investigators must manually add these to their dictionaries.
Length Doesn’t Matter
Most users don’t bother with long, complex passwords. Even if they did, dictionary attacks using leaked password lists would still be effective.
Major breaches (Yahoo, LinkedIn, eBay, Twitter, Dropbox) have exposed tens of millions of passwords. Mark Burnett analyzed these leaks and found clear patterns:
- 0.5% use “password” as their password
- 0.4% use “password” or “123456”
- 0.9% use “password,” “123456,” or “12345678”
- 1.6% use a top-10 password
- 4.4% use a top-100 password
- 9.7% use a top-500 password
- 13.2% use a top-1000 password
- 30% use a top-10,000 password
Using a list of the 10,000 most common passwords, investigators can crack about 30% of user files, even without access to the user’s computer.
70 + 30 = 100?
Using a user’s own passwords (plus mutations) works about 70% of the time. Using the top-10,000 password list works about 30% of the time. But these don’t add up to 100%. There’s no guarantee, especially with offline resources or encrypted volumes that may use entirely different passwords. In computer crime investigations, the chance of encountering a non-average user increases. So, while 30% or 70% success rates are statistical, they’re not absolute. Still, these quick, automatable, and predictable methods are favored by law enforcement when persuasion fails.
Is That All?
Of course not. Investigators also use custom dictionaries, including popular passwords and words from English and other languages, often with various mutations. Sometimes, brute force is used: a cluster of 20 workstations with four GTX 1080 GPUs each can test 500,000 Office 2013 passwords per second, or over 2 million RAR5 passwords per second.
Extracted account passwords don’t always help decrypt files or containers. In such cases, police use other methods. For example, when encountering BitLocker-encrypted drives with TPM2.0, attacking head-on is pointless since no user password is set. Instead, investigators may analyze another device where the user logged in with the same Microsoft Account. Once that password is recovered, decrypting the drive is straightforward. In another case, unencrypted copies of encrypted laptop data were found on a server.
How to Protect Yourself
First, audit your passwords. Try the methods described above. If you can crack your own document, archive, or encrypted volume in minutes, take action. If not, remember that “soft” persuasion methods are always an option for authorities.