Password recovery - 3 attack avenues?
#1
First of all, I apologise for asking for help on something like this.
Let's just say I am no IT guru!

Here's the beef:

I have used the same 14-character passphrase on a GPG private key, a Veracrypt file container and pCloud crypto cloud storage.

I cannot export the GPG private key without the passphrase.

I recall that the password consists of all small alphabetical characters (a-z) and ends with the numbers 2015.
It is also very likely that it starts with an 'a' and there are no spaces or special characters.

So basically there are 9 a-z characters that are the unknown variables in the middle.

Obviously, I cannot for the life of me remember what those are.

I would assume that for someone with the requisite knowledge it would be relatively straight forward to:

1) Come up with an appropriate word list that covers the above variables,
2) Work out which of the above three options would be the best/easiest to brute force using that word list, and
3) Run hashcat with those parameters.

I use Arch Linux on all my computers so I'm not totally ignorant, but this is certainly above my head. I can live without the PGP key (easy enough to make a new one) but the Veracrypt and pCloud have some documents that i would very much like to recover.

Because it's documents only, the Veracrypt file container is just 3 MB in size - although I'm not sure if this makes any difference to getting into it.

I would be grateful for any suggestions, thank you.
Reply
#2
The size of the data being cracked does not generally change the difficulty of cracking the passphrase. It doesn't look like pCloud is something that hashcat can crack, so it's down to either Veracrypt or GPG. The easiest way to see which one would be quicker is to try a crack on each -- hashcat will tell you which one will finish quicker for a given candidate list. Based on your description, the mask you want is probably `a?l?l?l?l?l?l?l?l?l2015`.
Reply
#3
Cracking ten random characters on veracrypt is not going to complete within your lifespan. GPG and pCloud are not supported. GPG would probably be faster to crack than veracrypt (only a guess) but still unlikely to complete in a reasonable time at ten characters.
Reply
#4
36TB for a wordlist made of just 9 lower case alpha characters @ 1.5K GBP (to buy the storage capacity)
*no duplicate letters in the wordlist
Reply
#5
... and that is why you don't pre-generate brute-force datasets.
Reply