Archive Password Recovery

Browser-based password recovery for ZIP (ZipCrypto / AES-128/192/256) and 7-Zip (AES-256) archives. Dictionary, mask, and brute-force attacks run on your own machine with Web Worker parallelism. For your own files, CTF challenges, and educational use only.

Tool Media & Files Updated May 23, 2026
X Facebook LinkedIn Reddit Email
How to Use
  1. Drop the archive whose password you forgot.
  2. Pick an attack: dictionary (try a wordlist), mask (try a pattern like Pass####), or brute force (try every combination in a range).
  3. Hit Start. The tool spawns workers (one per CPU core) and runs entirely in your browser.
  4. Stop anytime — partial progress is preserved if you re-run with the same archive + wordlist.
Recovery
🔒
Drop password-protected ZIP or 7-Zip archive
Detects encryption type (ZipCrypto, AES-128/192/256, 7z AES-256). Recovery runs entirely in your browser.
Archive
Size
Type
Encryption
Encrypted entries
Built-in lists
The built-in lists are tiny — for large wordlists (rockyou, etc.) paste or upload below.
Or paste a wordlist (one password per line)
Or upload a wordlist file
Plain text (UTF-8), one per line. Large lists are streamed — no upper limit.
Mask pattern
?l = a-z   ?u = A-Z   ?d = 0-9   ?s = !@#$%^&*-_+=()[]{}.,?/   ?a = all printable   anything else is a literal character.
Type a mask to see candidate count.
Brute force grows exponentially. For modern AES, anything past 6-7 characters with mixed charset will take longer than the heat death of your patience. Use dictionary or mask attacks first.
Charset
Min length
Max length
Adjust settings to see the candidate count.
State
idle
Tested
0
Speed
— /s
Elapsed
0s
ETA
Last tried
Password recovered

How it works

ZipCrypto
Legacy stream cipher with three 32-bit keys; ~50k–200k passwords/sec/core in pure JS. Verifies via CRC byte + decompression sanity check.
ZIP AES (AE-2)
PBKDF2-HMAC-SHA1 with 1,000 iterations; ~500–5,000 pw/s/core via Web Crypto. Verifies via 2-byte password-verifier in the encryption header.
7-Zip AES-256
SHA-256 key derivation with 2^n rounds (default 2^19 = 524,288). ~10–500 pw/s. Verifies by decrypting + parsing the header.
Workers
Candidate stream is split across N Web Workers — one per CPU core. Total speed scales nearly linearly.
Dictionary
Each password from a wordlist is tried verbatim, plus optional mutations (capitalize, suffix digits, common leetspeak).
Mask
Hashcat-style placeholders: ?l a-z, ?u A-Z, ?d 0-9, ?s symbols, ?a all printable.
Brute force
Every combination from a chosen charset across a length range. Linear-search the keyspace.
In-browser only
Zero network traffic during cracking. The archive, wordlist, and every candidate stay on your device.

Ethical use

Use this tool on archives you own or are explicitly authorized to access — forgotten personal backups, CTF challenges, security education, or pentesting engagements. Cracking files without authorization is illegal in most jurisdictions.

Frequently Asked Questions

Is this legal?

Recovering your own forgotten passwords is legal everywhere I know of. Cracking archives you do not own and have no authorization to access is not. This tool is for your own files, CTF, and security education.

Does anything leave my browser?

No. The archive, every password attempt, the wordlist — all stay in this tab. No network requests are made during cracking.

How fast is it really?

ZipCrypto (legacy): tens of thousands per second per core. ZIP AES: ~500–5,000 per second. 7-Zip AES: ~10–500 per second (it is designed to be slow). Modern strong passwords (12+ random chars) are not crackable here.

Why is the speed varying so much?

Each format uses different key derivation. ZipCrypto verifies a password in microseconds. ZIP AES requires 1,000 PBKDF2 rounds. 7-Zip default is 2^19 ≈ 524,288 SHA-256 rounds.

What if I forgot just part of my password?

Use mask mode. If you remember it starts "Picture" and ends with 4 digits: pattern is <code>Picture?d?d?d?d</code>.

My password has Unicode characters

ZIP AES + 7z handle UTF-8 / UTF-16LE passwords. ZipCrypto is byte-stream, so non-ASCII characters depend on the locale used at encryption time.

How do I export progress?

When a password is found it is shown on screen and copied to your clipboard automatically. Save it somewhere safe.

Common Use Cases

Forgot your own password

You set a password on a backup ZIP years ago and now cannot remember it. Try common variants you might have used.

CTF challenge

Capture-the-flag puzzles often hide flags in password-protected archives. Use dictionary or mask attacks.

Inherited archive

You have an old archive from a previous job or family member with no password on file. Authorized recovery.

Security education

See how dramatically encryption strength varies — ZipCrypto falls in seconds, modern AES holds.

Last updated: