The other day I found myself confronted with a spreadsheet I created
using a rather popular closed-source spreadsheet computer program. I
had locked it with a password. And then forgot that password.
Ack.
A quick search around the interwebz teaches us that many people like
to profit from our misery and deliver brute-forcing attacks to crack a
forgotten password. I found one that promised a free download and got
presented a tool that would attempt up to 3 characters. For more
characters, one had to pay.
I am a computer software engineer. I think I'm capable of programming
such an application and not pay someone else for my skill.
What do we need? First: the ability to open the spreadsheet with a
random password and catch the error if we pass the wrong one. Luckily
this spreadsheet has a programming language built-in that can do
exactly that.
Second: the ability to keep on attempting variations of passwords
without the document getting scrambled beyond repair. Now any
self-respecting built-in document security system would keep track of
how many attempts one failed and either refuse access for some time,
or just obliterate the document. But not this particular spreadsheet
making program: it happily continues to try and open the document.
Third: a computer that can plot away at this task without getting
interrupted by system updates or power schedulers that turn off the
power after 30 minutes of interaction absence. And this computer I'm
using is operated by the system built by the same company that made
the spreadsheet program. So a few hours later I have all its update
and power management abilities turned off. Really. Hours. This should
be easier.
Fourth: a way to iterate over password attempts and make sure we try
each variation possible within common ascii for a password length
between 12 and 32 characters. Because I tend to use pass phrases
rather than words, there's bound to be spaces and commas.
So how much time is this going to take?
Well, let's see. This spreadsheet language runner is pretty slow. And
for 12 password characters the amount of possibilities within common
ascii equals 37,133,262,473,195,501,387,776. That's 37 thousand
million million possibilities. And that's for the smallest expected
length. You can do the math for the 32 character length.
Even if this language is able to process 4 passwords a second (and
that's pushing it), testing the full range of 12 characters is going
to take 300 billion years.
