locked
sunriise: app.CheckPasswords to attemt to open password-protected file using candidate from a wordslists RRS feed

  • General discussion

  • If you forgot your *.mny password but have a list of "candidates". They can be quickly checked using sunriise's app.CheckPasswords:

      . See: http://sourceforge.net/projects/sunriise/forums/forum/1386861/topic/4621124

      . Sourceforge project: http://sourceforge.net/projects/sunriise/

     

    Sunday, July 24, 2011 11:42 PM

All replies

  • Do you think that you could use app.CheckPasswords to check passwords with only the first xxx bytes of the *.mny file? The thinking is that you could have somebody figure the password without giving up the data from the file.
    Tuesday, September 13, 2011 1:35 AM
    Moderator
  • I looked into it. Can't do partial matched.
    Wednesday, September 14, 2011 6:00 PM
  • Sorry I mis-read this the first time. I will check again. I believe only the first couple of page (each is 1024 size, I believe) is needed. I will check and confirm later today.

     

    Thursday, November 17, 2011 9:09 PM
  • Need more testing (data files from versions other than sunset), but it looks like only the first "page" (size 4096) is needed for this purpose. New codes/build will have to be added/created.

    • Edited by hleOfxQuotes Saturday, November 19, 2011 3:23 PM
    Saturday, November 19, 2011 3:22 PM
  • Thanks. Does this system work for a Live ID, or is it limited to conventional passwords? I have a feeling that sunriise's app.CheckPasswords may only do conventional passwords.

    Many of those who find themselves locked out of their files having lost their login credentials are using the Live ID, which consists of an email address and a password.

    I don't even have a file with a Live ID on it for testing, and I can't create one now; the servers are gone.

     

     

    Saturday, November 19, 2011 3:55 PM
    Moderator
  • Cool. This would allow somebody to work on recovering the password without passing that person a copy of the actual Money file. A utility to trim off the first 4K of the file would be easy. Even a process using the DOS debug utility could be used to create a 4K file that was a copy of of the first 4K of a Money file. It seems unlikely that much personal information would be in the first 4K.

     


    Saturday, November 19, 2011 4:02 PM
    Moderator
  • Don't know about LiveId. I have never used LiveId. So far I've only tested the "password manager" password so far.

    From what I've read so far from this newsgroup posting, it sounds as if there is an "offline" mode that allows user to open *.mny file when offline, right? If that is the case, that means

    • there is cached copy of a password/key that was retrieved previously from a successfully LiveId authentication.
    • OR the password/key is just a transformation of the user@hotmail.com, password combination: as simple as concatenation emailpassword.

    Different way to say this:

    • For a protected *.mny file, you need a key to de-crypt the data
    • For simple password, the key is the password (I am simplifying but the concept is the same)
    • For LiveId, the key could be one that was retrieved from LiveId successful authentication, or could be a combination of the email+password (something that can be computed offline, given that offline mode is allowed).

     

     
    Saturday, November 19, 2011 6:16 PM
  • So Sunriise is not set up for the LiveID. I think most of those locked out are using the LiveID. :-(

     

    One other difference: the conventional password is not case sensitive. People report the LiveID password that they use to sign in offline is case-sensitive. I suspect that the key is a hash of the email address and the password. However I think the servers were necessary to initially establish a file with the Live ID, so there may be some saved info from the server, similar to salt, added in.

     

    Here is a writeup on the LiveID methodolgy: http://social.msdn.microsoft.com/Forums/en-US/wliddev/thread/b19f2d36-3b2a-49c3-9c23-e10a88ad862b

    Saturday, November 19, 2011 6:40 PM
    Moderator
  • From this: http://www.elcomsoft.com/help/aopr/money2002.htm, for LiveID mode, the LiveID password is the one used to encrypt/decrypt the database. So for purpose of verifying the password, it appears that the email does not matter. If someone still have a *.mny file with LiveID, it will be interesting to test:

    • email: introduce a typo
    • password: no change
    • mode: offline

    and see if can still open that *.mny in offline mode.

     

    Tuesday, November 22, 2011 4:50 PM
  • This tool is created to help with all the poor souls who have forgotten their password and got no where else to turn. The tool is not completed because it needs a good set of dictionaries to be useful. Also, if your passsword is long (8+ characters with numbers and non-alphabets), time might not be on your side (though the fact that *.mny password is case-insensitive might help a bit).

    New version that will need only the header page (first 4096 bytes) from a *.mny file.

    See: https://sourceforge.net/projects/sunriise/forums/forum/1386861/topic/4621124/

    Look for posting dated "2011-11-24 12:43:41 PST"

    I don't have LiveID, so I cannot 100% confirm that but I believe

      . The LiveID's password is used to encrypt/decrypt the database so from the  point of view of this tool, the LiveID's password is same a the "conventional" password: to get a yes/no if a given password can decrypt a given *.mny file.

      . As such, both types of password is NOT case sensitive. So you can use *just* upper or lower case to construct your dictionary.

     

     

     


    • Edited by hleOfxQuotes Thursday, November 24, 2011 9:03 PM
    Thursday, November 24, 2011 9:02 PM