Forgot Keystore password, thinking of Brute-Force detection. will it corrupt the keystore?

Aman Alam picture Aman Alam · May 27, 2011 · Viewed 49.2k times · Source

I recently realized that I have lost the password to my keystore (or perhaps the keystore got corrupted somehow)

It keeps giving me the error: Keystore tampered or password incorrect

I created an (quite unoptimized) algorithm to Brute-Force the password by letting it run all the night. However, I am not sure how many unsuccessful password attempts will lock the keystore down.

Does anyone know anything like this?

UPDATE
The algorithm I devised works okay (I am using Java), but I realized that normally, the Keystore tool asks for the password only when I press enter. but to get the brute-force to work, I would want it to have a switch and accept password in the same line. is it possible?

Answer

Ammar picture Ammar · Apr 25, 2013

Sharing my experience after trying everything available.

1- Smart word list attack from android-keystore-password-recover is what eventually worked for me after spending a day trying different lists. Unfortunately, it does not support multithreading and I couldn't get it to run faster than 30,000 trials/second. I might contribute multithreading support to project soon.

2- KeystoreBrute was the best for brute-force attack at 320,000 trials/second. However, if you do the numbers, it will take 3.5 days for 6 characters long password and 177 days for 7 characters long.

3- If you only need to crack the keystore password, but not the certificate password (also referred to as the alias password), this tool will just changes it for you.

Good luck!