New tool unlocks passwords

To make life a little easier for frustrated network administrators, as well as for absent-minded users tired of playing the “What the heck was my new password?” game after an especially rough weekend, a small East European company has developed a Windows utility to open locked files.

Password Recovery Kit 4.1, designed by the Estonian company Passware, consists of a set of applications – or “keys” – that can recover passwords for opens, write reservations, workbooks, templates, databases and access user accounts from all versions of MS Office, Acrobat, WinZip, Windows 2000/NT/XP, ACT! and several other business packages.

“To recover a password the user should run the key, then select the file with the unknown password, then the key starts searching. Some types of passwords can be recovered instantly, others require a brute-force attack, i.e. rapidly checking millions of combinations of characters,” said Dmitry Sumin, Passware’s Tallinn, Estonia-based manager.

As well as offering convenience for forgetful users, Sumin said that Password recovery software can be critical when key employees suddenly leave a company. “Another common scenario (is) for a network manager to inherit a Windows 2000/NT server with (its) Administrator password unknown – this is when our Windows XP/2000/NT Key can help to create boot disks to unlock the system,” he said.

With 400 to 500 nodes, and up to 475 users that range from novice to expert, James Carey, senior systems manager for the Toronto-based Fairmont Hotels and Resorts said that lost passwords are indeed a common occurrence.

“We do spend a lot of time on it from a systems perspective. People will forget their password from a Friday to a Monday, or they use different combinations, so we do quite frequently have to do password resets,” said Carey, whose duties include overseeing IT activity at the Fairmont Royal York in downtown Toronto.

However, Carey said that despite its potential convenience factor, he would be very wary of a password-cracking tool such as this.

“I think it would be a very dangerous tool, especially if you gave it to a user. If it fell into the wrong hands anybody could go and try and crack anybody else’s password, especially around documents with sensitive material. It would have to be very regulated so that only certain administrators would have access to it,” Carey said.

Sumin said that although Passware has developed some proprietary technologies to boost the Recovery Kit’s effectiveness, there are no elements in place to regulate potentially shady use of the software.

“There are no such controls available yet. For now it is [the] IT manager or network administrator’s responsibility to install the software securely, so that only authorized personnel could possibly use it,” Sumin said.

Alister Sutherland, Toronto-based director of software with analyst firm IDC Canada, also had immediate concerns about the nefarious possibilities presented by this tool. But if security concerns can be addressed, Sutherland said that anecdotal evidence indicates that lost passwords are an ongoing headache for anyone who works around technology, and “sometimes these small products can gain a lot of traction in the market because there is a need out here.”

Convenience aside, Carey prefers to stick to his company’s established policies and procedures, and just keep resetting those pesky lost passwords.

“As soon as I heard about this password retrieval, as an administrator you kind of cringe because security is forefront in what we do…and you try not to introduce any element that could cause problems down the road,” he said.

A single Password Recovery Kit license cost US$395, and is available online at Site, 10-pack and individual licenses, as well as free demos are also available.