Ask Leo! by Leo A. Notenboom

I've lost the password to a "zip" file. How do I open the file?

Search First! Then browse: Categories | Full Archive | By Date | Newsletter

Home » General Computing » Encryption

Summary: ZIP files are a archive format that includes optional password protection. If you don't have the zip file password you may still be able to get in.

I used a password while zipping a file, but unfortunately I've since forgotten the password I used. How can I unzip the archive and retrieve the file?

In a perfect world, the answer should be "you can't". I mean, you should be able to open a password protected files ONLY if you have the password right? Otherwise what's the point?

The fact that the answer isn't "you can't" should concern you.

First, the answer: if you search Google for "zip file lost password" you'll get a page full of results for various providers of zip file password crackersrecovery tools. Some are free, some are not. While I haven't tried them, the tools are out there.

In looking at the tools, the techniques to crack a zip file password boil down to three different approaches:

  • Brute Force Attack - make up and try every possible password. This sounds time consuming and it can be. However if you can provide hints, such as the approximate length of the password you used or perhaps the first character of your forgotten password, you can cut down the time dramatically.

  • Dictionary Attack - by quite literally using a dictionary of words, the tool can try various combinations until something works. If you recall that your password was in fact a word or combination of words, a dictionary attack can once again reduce the amount of time it might take to discover the forgotten password.

  • Known-plaintext Attack - If you have an original unencrypted copy of any file in the zip file (the "known plaintext", in cryptography-speak), that file, plus the encrypted zip file, can be used to reverse-calculate the password and thus extract all the other files.

"Password protecting a ZIP file is fairly poor security. It can be cracked ..."

Now, many of these techniques rely on time. Depending on your computer and the password to be discovered, you may end up turning a password crackerrecovery tool loose and have it take a few hours - or perhaps days - to recover the password. Perhaps that's too long, but perhaps not. That depends on your needs.

There are a couple of very important lessons to be learned here, however:

Password protecting a ZIP file is fairly poor security. It can be cracked, simple as that. With enough resources, and a poor or even moderately secure password, it can be cracked reasonably quickly.

"Strong" passwords are a must. If you're going to use words from the dictionary as a password, it's almost like having no password at all, cracking it is that easy. If you use a good, long and strong password then you can increase dramatically the amount of time it will take to crack or recover the zip file.

It's possible that the protection provided by a zip file is enough for you, and that's fine. Zip files are a compression format first, and an encrypting archive second. As long as you understand the previous two points, then you can at least make a reasonably informed decision as to which tool to use.

As an alternative, I would recommend something like TrueCrypt which uses much more robust algorithms to produce a virtually uncrackable encryption. If you forget the password to a TrueCrypt volume, you've lost your data. Period.

Like zip files, TrueCrypt volumes can contain many files in a single encrypted package. Unlike zip files, TrueCrypt volumes do not compress the data and you must select the size of your volume when you create it. But both of these differences are easily managed: if you want, you can compress files prior to putting them in a TrueCrypt volume, and it's easy to "grow" your volume, if needed by creating a new one and copying the contents of the old.

As with most things, choosing the right tool for the job is, perhaps, the most important decision even before you start.

Related:

Helpful? Get new articles weekly by email in my FREE newsletter!

Your Name:
Your Email:


Why Subscribe?

Article C2918 - January 31, 2007

Recent Comments
11 Comments

hey i forgot my pasword and i need help please i need your help:((

Posted by: septimiu at February 13, 2007 3:59 PM

i forgot my pasword and i need help please

Posted by: septimiu at February 13, 2007 4:00 PM

so how to open the file or extract the file if the password is lost... and cracking or recovery doesnt work at all or failed many time.. Sugestion [ delete the file ] problem solved!

Posted by: nhone at March 23, 2007 9:06 AM

I have forgotten my password to encrypt my drive.. wtf must I do?

Posted by: Mike at April 29, 2007 3:34 AM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It depends on what technology you used to encrypt it. But in general, if you
lose the password to an encrypted drive, you're probably screwed. Any decent
encryption technology will not have a password recovery backdoor.

Leo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)

iD8DBQFGNkLWCMEe9B/8oqERAoSlAJ9KetTn4+C4+nAxElcPFRDqwzHfBACcCOyP
dwBBoSYKxrgLL7T60NzWkNI=
=EsFN
-----END PGP SIGNATURE-----

Posted by: Leo A. Notenboom at April 30, 2007 12:26 PM

Hi,

I got a new flash drive and then had heard a lot about the truecrypt software so decided on securing my disk with it. During trying to create a secure volume, I select the full device rather than a single folder. At the step when it asks to format the drive, I clicked on format, but it said that format failed.
I have not been able to access my drive since then. When I plug it into the USB port, it shows as drive letter D: but clicking on it gives back a message 'Please insert a disk'
I have tried to access it via 'computer management' but it simply shows Drive D: as 'no media' Chkdsk says it cannot access the drive. Trying to mount the volume using truecrypt itself does not work either.

Can you please help me, I did not have anything useful on the drive so data recovery is not my concern, all I want is to recover the space on my drive.

Look forward to hearing from you,
Thanks,
Dév

Posted by: Dev Sahani at May 13, 2007 12:32 PM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Using the disk manager you'll probably have to create a new empty partition,
and then format it.

Leo

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)

iD8DBQFGR+INCMEe9B/8oqERAhUUAJ9LLvbUNiN01B+5v+wYEFH49seQdgCfQQxq
NPAUU8l9dgh+baOXjkt4k44=
=pJOh
-----END PGP SIGNATURE-----

Posted by: Leo A. Notenboom at May 13, 2007 9:14 PM

You can recover your password protected zip file, or a corrupted zip file with Stellar Phoenix Zip Recovery.
http://www.stellarinfo.com/zip-recovery.htm

Best of luck...

Posted by: piyush at August 20, 2007 9:44 PM

I know the name of best data recovery company and that is http://www.stellarinfo.com

Posted by: Vineet Kumar at April 1, 2009 5:12 AM

Stellar Phoenix Zip Recovery CAN NOT recovery any passwords. It can repair corrupted passworded files to a specific ZIP version as long as you know what the password is. It's not a password cracking tool at all.

Posted by: Dedobe1 at May 14, 2009 6:37 PM

Post a comment on "I've lost the password to a "zip" file. How do I open the file?":






(Email Address will not be published.)

Remember Me?

By popular demand...
my tip jar
Cuppa Joe
Buy Leo a Latte!

(you may use HTML tags for style)

RSS feed Subscribe to the RSS Feed specifically for comments on this article.

Before commenting, please...

  • Read the article at the top of this page. If your comment shows you didn't, it'll be deleted and ignored.

  • Comment only on this article. Use the Google search box at the top of the page if you have a question about something else.

  • Don't include personal information in the comment. No email addresses. No phone numbers. No physical addresses.

  • Don't spam. Excessive links to unrelated sites within a comment or across multiple comments will cause all such comments to be removed.

  • Don't ask me to recover lost passwords or hacked accounts. I can't, and those comments will be deleted.

  • I can't respond to every comment. And I can't vouch for the accuracy of others who do.

Please wait. Your comment is being processed ...


Question? Ask Leo!