A lot of people want to know how long it will take the Find Password App to recover their lost router or security camera password. This is dependent on a lot things such as how fast your router is at handling HTTP requests, how complicated the HTML that comes back from your router is, and how long you think your password that you forgot is.
The Find Password App simply tries a lot of passwords one right after the other, so it should be pretty fast right? Yes, and no. It's as fast as your computer can be, which is really, really fast. But it's also as slow as your router, which it turns out is pretty darn slow. Modern routers are not optimized for vending out web pages for you to login to, and Find Password relies on those web pages to find your password.
It turns out that most routers can vend a web page and handle a password attempt in somewhere between 2 and 6 seconds per password attempt.
For these estimates we used a modern NetGear router that is average in difficulty to work with. We used the Find Password App to probe the router and the Advanced Password Generator to generate lists of passwords.
The router had an average login attempt time of 4 seconds. Some routers are 2 seconds, some routers are 6 seconds, so consider these results to be middle of the road. In addition, these are times to try all passwords. On average you should find your password in half this time.
Also, for all of these tests we used a single username, admin, which is by far the most common, and we also included all known router passwords, security camera passwords, and the top 1,000 passwords from popular internet leaks. This should cover 92% of all routers out there.
|Length of Password||Passwords Generated||Time to Guess with 92% Accuracy|
|8 Characters||3,072||5 hours|
|9 Characters||12,288||15 hours|
|10 Characters||49,152||2.5 days|
|11 Characters||196,608||9 days|
|12 Characters||786,432||37 days|
You can speed this process up considerably by turning off any options that do not apply to your particular password habits. One of the easiest and most effective ways of doing this is turning off "lower to upper case conversion".
By far the most time consuming part of this process is the 4 seconds per attempt. Wouldn't it be great if we could make our guesses faster? What if we could guess a password every 100mS, or 10 times a second?
We can't. I'll tell you why. It's because router's are not programmed that well.
Not all router's are this difficult, but a lot of them are. And since Find Password is meant to run on all routers it's got to be designed to handle the easy routers and the hard ones. The real problem is there is no way to know if you are dealing with an easy router or a hard one, so you have to treat all routers like hard ones. That's just not optimal.
Now that we've got it out of the way that we have to treat all routers as if they are difficult, how exactly do we treat a difficult router? The biggest problem to solve is knowing:
Neither of these are easy problems to solve.
When A Page Has Fully Loaded
The web browser can tell us when it thinks a page is done loading, and it's frequently correct, but it's definitely not 100% correct. If a page loads, and then 1 second later an AJAX call finishes and changes that page how do you know? You really don't know. The only way we've found to solve this problem is to wait until the web browser tells us that the page is done loading, then wait some more. How long you wait more is configurable. In our tests of 100's of routers we've found that 2 seconds seems to work on just about all routers.
Another problem is routers with frames. It's not always clearly obvious when a router's frames have all finished loading. Take for example this Netgear router:
See how the frames come in slowly? They actually come in randomly and different every time. The same is true for AJAX calls the modify pages. You simply can't predict how the router will behave.
We could wait less time on some router's for sure, but we don't know if we are running on one of those routers or not. A future upgrade to Find Password is going to be adjusting that 2 seconds down automatically if we find that pages are complete consistently before that window is complete. This might cut the password guessing time in half for some users with fast or simple routers.
When We Are Actually Logged In
As we are submitting passwords and attempting to get logged in we need to have some sort of trigger to tell us that we maybe, possibly have found a working password. To do this we use a modified version of the Levenshtein distance between a set of known bad results and the result that we just got back from the router.
If the distance is great enough then we trigger a popup from the end user asking if we managed to login. This popup times out after 1 minute and the process resumes so that you can let it run for days. You can always go back and review the potential passwords found later.
The goal is to make this work on most routers without the end user having to specify their router from a drop down list, and to have a very high quality of results with as few false positives as possible. In order to accomplish this goal you have to go with the most conservative component in the system, which is the routers slow speed. By being forgiving of the router you can increase your odds of being correct in your password guess.
Of course we can go faster at the risk of missing the valid password and cut that 37 day run down to a 15 day run. But it would probably be better to be more accurate at suggesting which types of passwords to try. If you know for a fact that you didn't use an uppercase letter in your router's password then you can turn off the lower to upper case conversion.
Just turning off lower to upper case makes a 12 character password guess drop from more than 700k passwords to just 4k passwords, and the run time from 37 days to just 1 day.
Alternatively if you have not done any sort of special characters such as @ for an a then you can turn that feature off and realize the same sort of savings.
Find Password is just one of many tools in the Network Utilities suite of applications by Portforward. Some of the tools are free and some of them are not. Find Password is one of the tools that you have to pay for, along with Router Login and PfConfig, an application for setting up port forwards in your router.
Finding a router's password once it's been lost is a huge task. Here are some more resources that may help.