{"id":9216,"date":"2019-10-16T01:18:00","date_gmt":"2019-10-15T23:18:00","guid":{"rendered":"https:\/\/paddys.de\/?p=9216"},"modified":"2023-10-07T02:11:17","modified_gmt":"2023-10-07T00:11:17","slug":"wie-einfach-dokumenten-passwoerter-zu-knacken-sind-pdf-zip","status":"publish","type":"post","link":"https:\/\/paddys.de\/en\/wie-einfach-dokumenten-passwoerter-zu-knacken-sind-pdf-zip\/","title":{"rendered":"How easy document passwords are to crack (PDF, ZIP, ...)"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 ez-toc-wrap-right counter-hierarchy ez-toc-counter ez-toc-transparent ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Topics in this article<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewbox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewbox=\"0 0 24 24\" version=\"1.2\" baseprofile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1' ><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/paddys.de\/en\/wie-einfach-dokumenten-passwoerter-zu-knacken-sind-pdf-zip\/#Was_Banken_unter_%E2%80%9Esicher%E2%80%9C_verstehen\" >What banks mean by \"safe<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/paddys.de\/en\/wie-einfach-dokumenten-passwoerter-zu-knacken-sind-pdf-zip\/#Der_Testaufbau\" >The test setup<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/paddys.de\/en\/wie-einfach-dokumenten-passwoerter-zu-knacken-sind-pdf-zip\/#Vorgehensweise_zum_Knacken_des_Passworts\" >Procedure for cracking the password<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/paddys.de\/en\/wie-einfach-dokumenten-passwoerter-zu-knacken-sind-pdf-zip\/#Der_Praxis-Test_am_Beispiel\" >The practical test using the example<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/paddys.de\/en\/wie-einfach-dokumenten-passwoerter-zu-knacken-sind-pdf-zip\/#Ein_bisschen_Mathematik\" >A bit of mathematics<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/paddys.de\/en\/wie-einfach-dokumenten-passwoerter-zu-knacken-sind-pdf-zip\/#Fazit\" >Conclusion<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/paddys.de\/en\/wie-einfach-dokumenten-passwoerter-zu-knacken-sind-pdf-zip\/#Rechtlicher_Hintergrund\" >Legal background<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/paddys.de\/en\/wie-einfach-dokumenten-passwoerter-zu-knacken-sind-pdf-zip\/#Quellenverzeichnis\" >List of sources<\/a><\/li><\/ul><\/nav><\/div>\n<span class=\"span-reading-time rt-reading-time\" style=\"display: block;\"><span class=\"rt-label rt-prefix\">Reading time<\/span> <span class=\"rt-time\"> 5<\/span> <span class=\"rt-label rt-postfix\">Minutes<\/span><\/span>\n<p><em>This article was first published at <a href=\"https:\/\/www.itk-security.de\/wie-einfach-dokumenten-passwoerter-zu-knacken-sind-pdf-zip\/\" target=\"_blank\" rel=\"noopener\" title=\"\">ITK SECURITY<\/a>.<\/em><\/p>\n\n\nLetzte Aktualisierung vor 3 years durch <a href=\"https:\/\/paddys.de\/en\/\" target=\"_blank\" class=\"last-modified-author\">Ruppelt Patrick<\/a>\n\n\n\n<p>Reading time: 8 minutes<\/p>\n\n\n\n<p>Cracking a password-protected PDF or ZIP file usually takes only a few seconds with the right tools. A fact that banks, doctors and many other public authorities are often not aware of.<\/p>\n\n\n\n<div style=\"height:40px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Was_Banken_unter_%E2%80%9Esicher%E2%80%9C_verstehen\"><\/span>What banks mean by \"safe<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>Sensitive data should not be exchanged by e-mail. This is well known. There are far better options, such as digital data rooms. We offer our customers such rooms on our own servers in our data centre, where every file is stored in encrypted form and common methods for \"cracking\" passwords are not possible. To name just one very simple technique, for example because you are locked out and blocked after three failed attempts. As is so often the case, there is of course a \"catch\": these systems cost money. Security is not available for free.<\/p>\n\n\n\n<p>Unfortunately, many service providers, from whom one should actually be able to expect something different, still take a different view. Banks, for example.<\/p>\n\n\n\n<p>A common misconception here is that protecting a file with a password means that only the person who has the password can open the file. This is very popular with PDF files and ZIP archives (I am thinking of an INI letter from the bank), but password protection is also often used with Word files or packed ZIP files.<\/p>\n\n\n\n<p>With a correspondingly complex password, this is certainly secure, but not if, as is common in banks, simply a five-digit postcode is used as a password. As a simple example shows, it is a fallacy to believe that something like this would be secure.<\/p>\n\n\n\n<div style=\"height:40px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Der_Testaufbau\"><\/span>The test setup<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>For my test, I created a PDF file and encrypted it with the simple password 'test'. In the file view, it is visually indistinguishable from an ordinary PDF file without encryption. Every common computer can open the file, print it etc.<\/p>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/www.itk-security.de\/wp-content\/uploads\/2019\/10\/image-52.png\" alt=\"\" class=\"wp-image-2911\"\/><figcaption class=\"wp-element-caption\">Viewing the test file in the file browser (on my computer Linux system, but would look similar on Windows computers or Macs)<\/figcaption><\/figure>\n\n\n\n<div style=\"height:40px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>When attempting to open the file, the user receives a password prompt. Without this, the file cannot be opened:<\/p>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/www.itk-security.de\/wp-content\/uploads\/2019\/10\/image-60.png\" alt=\"\" class=\"wp-image-2920\"\/><figcaption class=\"wp-element-caption\">Password prompt when trying to open the PDF test file<\/figcaption><\/figure>\n\n\n\n<div style=\"height:40px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Vorgehensweise_zum_Knacken_des_Passworts\"><\/span>Procedure for cracking the password<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>This article is only intended to illustrate how easy it is to crack such a password with the right tools. We do not give advice here on how to \"hack\". Therefore, parts of the necessary commands have been made unrecognisable.<\/p>\n\n\n\n<p>I do not want to call on anyone to get into mischief, but only to point out the problem as such in order to raise awareness.<\/p>\n\n\n\n<p>The procedure is as simple as it is effective. I now use my notebook to try to open the file in a loop. Each time the file asks for the password, I give it an automatically generated password.<\/p>\n\n\n\n<p>First, dictionary words are used. This also explains why it is always advised not to use real words or even names as passwords.<\/p>\n\n\n\n<p>If none of my passwords, which were automatically tested from dictionaries, are successful, I continue with a so-called \"brute force\" attack. Here, all conceivable or possible passwords are simply tried out. First everything from a to Z, then aa, ab, ac, ad, ... etc. as well as letters, numbers and special character combinations. After all, it has to be a password of some kind, so you are guaranteed to find a working password at some point through trial and error.<\/p>\n\n\n\n<div style=\"height:40px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Der_Praxis-Test_am_Beispiel\"><\/span>The practical test using the example<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>Technically, it looks like this:<\/p>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/www.itk-security.de\/wp-content\/uploads\/2019\/10\/image-56.png\" alt=\"\" class=\"wp-image-2916\"\/><figcaption class=\"wp-element-caption\">Programme for trying out passwords started<\/figcaption><\/figure>\n\n\n\n<div style=\"height:40px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>The only limiting factor is the processing power I have available. The processor performance goes up to 100% on the one core on which I run the programme. If I want to do the whole thing on a large scale, I distribute the load over all eight processors available. This would allow my notebook to test around 370,000 passwords per second (!).<\/p>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/www.itk-security.de\/wp-content\/uploads\/2019\/10\/image-57.png\" alt=\"\" class=\"wp-image-2917\"\/><figcaption class=\"wp-element-caption\">Processor load during the \"cracking\" of the password<\/figcaption><\/figure>\n\n\n\n<div style=\"height:40px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Ein_bisschen_Mathematik\"><\/span>A bit of mathematics<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>For this simple test, one processor core is enough for me. In about 1.5 minutes, the correct password was found by trial and error.<\/p>\n\n\n\n<div style=\"height:40px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/www.itk-security.de\/wp-content\/uploads\/2019\/10\/image-59.png\" alt=\"\" class=\"wp-image-2919\"\/><figcaption class=\"wp-element-caption\">Result of \"brute force\" password cracking via a password-protected PDF file<\/figcaption><\/figure>\n\n\n\n<div style=\"height:40px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>And this also explains why it is recommended to avoid particularly short passwords.<\/p>\n\n\n\n<div style=\"height:40px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Let's think of a character set of allowed password elements:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>26 letters: a to z (lower case)<\/li>\n\n\n\n<li>26 letters: A to Z (capital letters)<\/li>\n\n\n\n<li>7 Umlauts and sharp S: \u00e4, \u00f6, \u00fc, \u00c4, \u00d6, \u00dc, \u00df<\/li>\n\n\n\n<li>19 Special characters: . , - _ ; : ! \" \u00a7 $ % &amp; \/ ( ) = ? # + *<\/li>\n<\/ul>\n\n\n\n<div style=\"height:40px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>This results in exactly 78 valid possibilities for each character. This means that, mathematically, there are<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Password with 1 digit only 78 possibilities,<\/li>\n\n\n\n<li>Password with 2 digits 78^2 = 6,084 possibilities,<\/li>\n\n\n\n<li>Password with 3 digits 78^3 = 474,552 possibilities,<\/li>\n\n\n\n<li>Password with 4 digits 78^4 = 37,015,056 possibilities,<\/li>\n\n\n\n<li>Password with 5 digits 78^5 = 2,887,174,368 possibilities,<\/li>\n\n\n\n<li>Password with 6 digits 78^6 = 225,199,600,704 possibilities etc.<\/li>\n<\/ul>\n\n\n\n<p>It is easy to see that the complexity and the possible passwords to try out increase quite considerably with each additional digit of the password.<\/p>\n\n\n\n<div style=\"height:40px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Fazit\"><\/span>Conclusion<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>Nevertheless, this changes nothing at all when cracking passwords, except for the time factor. Whereas my notebook needs less than two minutes for four digits, we're talking about several hours for a few more. With enough computing power and\/or enough time, I can still crack any password and do nothing more than wait for my automatic system to spit out the right password. The only remedy is a sufficiently complex password, which would then require an automated procedure to be on the safe side.<\/p>\n\n\n\n<p>Therefore, manual file encryption is generally not considered secure and is not recommended for sending sensitive documents, e.g. by e-mail.<\/p>\n\n\n\n<div style=\"height:40px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Rechtlicher_Hintergrund\"><\/span>Legal background<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>When \"cracking\" passwords, it is essential to observe the legal framework. The deliberate circumvention of protective mechanisms is usually punishable by law. In this context, we recommend further reading of the <a href=\"https:\/\/www.passwort-generator.com\/passwort-knacken\/\" target=\"_blank\" rel=\"noreferrer noopener\">corresponding article of the Verlag f\u00fcr Rechtsjournalismus GmbH linked here<\/a><a><sup>1)<\/sup><\/a>.<br><\/p>\n\n\n\n<div style=\"height:40px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h4 id=\"wp-block-themeisle-blocks-advanced-heading-3aab2c66\" class=\"wp-block-themeisle-blocks-advanced-heading wp-block-themeisle-blocks-advanced-heading-3aab2c66\"><span class=\"ez-toc-section\" id=\"Quellenverzeichnis\"><\/span>List of sources<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><th><a>\u21911<\/a><\/th><td><a href=\"https:\/\/www.passwort-generator.com\/passwort-knacken\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/www.passwort-generator.com\/passwort-knacken\/<\/a><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><\/p>","protected":false},"excerpt":{"rendered":"<p>Cracking a password-protected PDF or ZIP file usually takes only a few seconds with the right tools. A fact that banks, doctors and many other public authorities are often not aware of.<\/p>","protected":false},"author":1,"featured_media":9217,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_lmt_disableupdate":"","_lmt_disable":"","_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-9216","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-posts"],"acf":[],"modified_by":"Ruppelt Patrick","wps_subtitle":"","_links":{"self":[{"href":"https:\/\/paddys.de\/en\/wp-json\/wp\/v2\/posts\/9216","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/paddys.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/paddys.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/paddys.de\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/paddys.de\/en\/wp-json\/wp\/v2\/comments?post=9216"}],"version-history":[{"count":3,"href":"https:\/\/paddys.de\/en\/wp-json\/wp\/v2\/posts\/9216\/revisions"}],"predecessor-version":[{"id":9510,"href":"https:\/\/paddys.de\/en\/wp-json\/wp\/v2\/posts\/9216\/revisions\/9510"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/paddys.de\/en\/wp-json\/wp\/v2\/media\/9217"}],"wp:attachment":[{"href":"https:\/\/paddys.de\/en\/wp-json\/wp\/v2\/media?parent=9216"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/paddys.de\/en\/wp-json\/wp\/v2\/categories?post=9216"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/paddys.de\/en\/wp-json\/wp\/v2\/tags?post=9216"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}