Starting with v2.04, Private Disk has a new feature – password recovery. Its purpose is to give you a chance to access the encrypted files if the password was somehow forgotten. The option is located on the "Recovery" tab of the main window. Switch to that tab, and click "Password", choose the character set and the length of the password, then click "Ok" to open the password recovery window.
How it works
The program performs a so-called "brute-force attack", trying all the possible combinations of characters, until the correct keyword is found. From the mathematical point of view, the program performs an enormous amount of operations, to be exact n^k operations; where n is the length of the character set, and k is the length of the password.
Is there a risk that a third party person will use the password recovery tool to break my password and access all my private data?
The risk is dramatically minimized, provided that you follow our recommendations on choosing a strong password.
OK, but still, anyone who has enough patience can access my files. Doesn't that make the encryption useless?
No, it does not. The complexity of the 256-bit AES encryption algorithm is a good shield against that. Let's study a simple example.
The password is "mypass", it has a length of 6 characters, and it uses 5 distinct letters. If you try to crack your own password, there will be 5^6=15626 options to choose from. By making the password one character longer (adding one of the letters already in use), the figure changes, 5^7=78125. As you can see, a small increment of the input leads to the tremendous growth of the output. Graphically, it looks like this:
From the attacker's point of view, the situation is totally different. The person doesn't know the characters you used, hence they will probably assume that small letters were applied. This means that there will be 26^6=308915776 attempts. If you make the password one character longer, the previous value increases to 8031810176 (adding 7722894400 more operations!)
The diagram emphasizes the difference between the strength of a 6-character and an 8-character password. Needless to say, if both small letters and capitals are used, as well as non-printing characters – the magnitudes become astronomical.
Now let's convert this into time units. On a P4 1.6 GHz with 512 MB of RAM, the time requirements are as follows:
26 characters – the small letters of the English alphabet
63 characters – small letters, caps, digits, space
Note, that the values are halved, in order to reflect the average situation - an attacker may find the password without having to try all the values.
As you can see - the time intervals are far beyond the human potential. Therefore, we conclude that the password can be found in a short time only if the brute-force attack is conducted by the owner of the files - the person who knows which symbols are used, this will effectively cut off a lot of redundant computations.
Another important aspect is that the brute-force attack will only look for passwords of the specified length. In other words, if you set the length to 7 characters, the program will not examine shorter passwords, gradually increasing the length until it equals 7. This significantly reduces the attacker's chance to find the password. The person will have to perform several attacks, and if they are unsuccessful, it is unclear whether the problem was in the length, or in the symbols that were not included in the character set.
This makes it even more complicated. An attacker will have a lot of planning to do before actually telling the computer to perform the attack. On the other hand - it is a quick solution for the authentic owner of the files, since the correct length is known.
Ok then, I understood that a well-chosen password is an efficient security-measure, but how do I know which passwords are good and which are not?
Examine our recommendations on choosing a strong password.
Are there any other things that play an important role, other than the complexity of the password?
Yes. A complex password can be easily spotted if someone watches you while typing it very slow. Therefore you must make sure that there are no people behind your back when you type, and do your best to type fast and correct - so that you will not need more than one attempt to enter the password (this will give "anonymous watchers" a second chance). Another measure is to keep the password in your memory and not on a separate piece of paper in your pocket, or any location other than your head.. You should not mention it to anyone either.
Why did you implement this password recovery feature anyway?
We had a great number of requests in which customers who forgot their passwords desperately wanted to recover their information. If this feature didn't exist - some software developer would certainly create a utility that does the job for money. We decided not to burden our clients with extra-expenses, hence this option is not provided in a separate tool, but it is integrated into the application itself. Its purpose is to help our users solve their problems on their own. Plus you can use it as an audit-instrument (i.e. try to brute-force your own password using an extended character-set, and decide whether the chosen password is good enough or not).