Lost Password Recovery Kit v7.3

Reviewed by: Howard Carson, November 2005
Published by: Passware
Requires: Windows 95 or later, Office 95 or later and any recent version of other programs accessible to LPRK
MSRP: US$355.00 (Enterprise and multi-user licenses available)

If I never see another password again, it won't be too soon. I mean, why can't we all just be nice to each other and not steal? Why can't everybody just leave everybody else's stuff alone? I wish I had just one password. I am an idiot for thinking about this. If I express this sort of thing in mixed company, everyone will think I'm a complete goof. So security concerns make us do all sorts of things these days, including eliminating the word "trust" from our vocabularies in order to better address the harsh realities we deal with in business. That is to say people steal, ergo, files need to be protected. You produce valuable work ensconced in Word, Excel, WordPerfect, etc., etc., etc., and if it's left unprotected, the wrong people may find and use it for their own purposes. That's bad. The problem is, the words "password protected" do not automatically mean "password remembered".

Passware has been around since 1998, producing password recovery software. The company deals mainly with Help Desk personnel, law enforcement, forensic agencies, IT professionals, network administrators and a wide range of non-business software consumers. The Lost Password Recovery Kit (LPRK) is a comprehensive set of keys (document modules) each of which is designed to analyze password protected files from over 80 widely used (and a few not-so-widely used) productivity programs. Each key/module is designed specifically to analyze and recover passwords from documents generated by a particular program. Load the Word Key to recover a Password from any Microsoft Word document; load the 1-2-3 Key to recover a password from any Lotus 1-2-3 file, and so on.

Installing and using LPRK is very simple. The installation itself is benign—no background processes, no system problems. The main reason is that LPRK doesn't do anything until you actual launch the software and feed it a file from which a password has to be recovered. Can't open a password protected Excel document because you fired the person who created it (and he didn't leave you a Post-It with the password)? No problem. Launch the LPRK Excel Key, point it to the offending Excel file and let the software perform its magic.

In most situations, LPRK will recover the password in a few seconds or minutes. Mind you, long and overly complex random passwords may keep LPRK churning away for very long periods of time—days in some cases—so smart IT people (or anyone who is using LPRK) may be wise to reduce the process priority of the software if the machine on which LPRK is running has to be used for other work. Note also that documents locked with passwords that have been heavily encrypted will stump the chump. Aside from that caveat, if there's an LPRK key for your particular document, the password will likely be recovered.

I tried 60 different password protected documents in LPRK. The passwords ranged in complexity from simple (polly) to complex (Raid34Tx). LPRK took an average of 45 seconds to recover each password. The simplest ones were recovered in less than 5 seconds. While there are never any absolute guarantees with this sort of software, I could not stump the program.

Smart enterprise IT managers, smart home-office and small business owners should recognize that the LPRK search routine is highly customizable. So if you design and impose a password system in your business using a specific formatting (e.g., capital, lowercase, number, number, number, number), adjusting the LPRK search formatting accordingly thereafter will help recover lost passwords quite easily. Ensuring that all staff are trained to use a particular password formatting can often make the password easier (read: faster) for LPRK to recover. Limiting LPRK's work to six letters/digits in such a situation, for example, makes password recovery a breeze, while still preserving sufficient complexity to prevent plain language or other guess-able passwords from being used. While there are always going to be people who have trouble either counting to six or following this kind of rule, I think that enforcing password rules for your business is usually a good idea.

One of the documents we tried with LPRK belonged to a friend of mine. It was a Microsoft Word 2003 file which contained a regularly updated list of all his usernames and passwords, bank access codes, PINs, and so on. LPRK recovered the password in just under 7 seconds. Anyone with a nefarious streak could have used the information in that Word document to clean out the man's bank accounts and credit card cash balances. The message here is that there are proper password vault utilities available out there for just a few dollars. Using a password protected Word document to store highly sensitive access information is completely wrong and you will be sorry. LPRK is not the devil in such a situation. It's the responsibility of any person who uses poor or inappropriate security to shoulder the burden of any losses. Buy a password vault utility. Use it.

Cons: The user interface is average to fair, so for this kind of money I could hope for something less 1989-ish and more 2005-ish. Okay—the software works exceedingly well, but a more inviting UI couldn't hurt. It's not Passware's fault (as a matter of fact, it's actually the foundation of Passware's existence), but would someone please remind everyone that passwords are meant to be REMEMBERED. There are about 30 different secure password storage utilities available right now, all of which will take care of all the remembering for you. All you have to do then is REMEMBER to use the storage software! Ah well, if everybody remembered or securely stored their passwords, Passware would have nothing to do.

Pros: Delightful. It works exceedingly well and I could not stump the thing although one password which turned out to be "Z23go2WR9m" took over 5 hours to recover. For typical or intuitive or plain language passwords, recovery usually takes as little as a few seconds. I had planned to upgrade my old Passware Kit v5.3, but the Passware people sent Lost Password Recovery Kit v7 for review and I have now resurrected half a dozen documents which had been sitting around for ages (in one case, over a year). Thank you Passware. As Microsoft, Novell, Corel and dozens of other major software makers design increasingly more secure document formats, the awareness among software and PC users of the correspondingly increasing need for greater personal and business information security is becoming acute. With increased use of complex passwords (or indeed any increased use of any kind of passwords) comes greater chances for password loss or amnesia. The Lost Password Recovery Kit is priced for businesses that are serious about data security and which demand that company documents be written and stored securely. Passware offers an annual subscription plan which provides regular updates as document security structures change. Very good product. Recommended.