Complete guide

📦 Recover forgotten ZIP password · 2026

Q: How many combinations can my PC test?

An RTX 3090 does ~140M/sec on ZipCrypto, ~700k/sec on AES-256. CPU-only is 10,000x slower — don't try serious brute force without GPU.

Q: Is there a service that guarantees recovery?

No. Anyone GUARANTEEING recovery is lying. Probability depends 100% on password complexity + how much info you have. We offer free diagnostic to evaluate real viability.

Q: Is this legal?

Only if the file is YOURS. Recovering your own files is 100% legal. Recovering others' files without authorization constitutes a crime in most countries (US: CFAA, EU: GDPR-related).

Q: How much is professional service?

USD 35 diagnostic (we tell you real chances). USD 2,000 deep AI Scan (includes ML analysis + intensive GPU cluster). Success fee 30-40% only if we recover.

Q: How long does it take?

ZipCrypto + predictable passwords: minutes to hours. AES-256 + complex passwords: days to weeks. We give honest estimate after diagnostic.

You have a 2017 ZIP file with backups, photos, source code or legal documents and forgot the password. This technical guide explains the 3 approaches that actually work in 2026 (hashcat with wordlists, mask attacks, and professional service with GPU cluster), with realistic time and success rate expectations based on the file's encryption type.

⚡ Complex case? Professional service /wallet-recovery/ · USD 35 diagnostic, success fee only if we recover.

ZipCrypto vs AES-256: which type you have

There are two encryption formats in ZIP files. The first is ZipCrypto (legacy from Win-Zip 1989), insecure and vulnerable to dictionary attacks. The second is AES-256 (introduced by Win-Zip 9.0, year 2003), comparable in security to Bitcoin Core's wallet.dat.

To identify it: open the ZIP with 7-Zip, right-click → Properties → Info. If it says ZipCrypto, your situation is good. If it says AES-256, it depends on how complex the password was.

Windows Explorer native ZIPs are always ZipCrypto. WinRAR, 7-Zip and professional software can be either.

Hashcat with wordlist (best approach for ZipCrypto)

If your ZIP is ZipCrypto, Hashcat with a decent wordlist is very effective. RockYou (14M passwords leaked from 2009) is the standard.

zip2john your_file.zip > hash.txt

hashcat -m 17200 hash.txt rockyou.txt

On an RTX 3090 hashcat does ~140 million attempts/sec on ZipCrypto. Full RockYou processes in <2 minutes. If the password was in RockYou, you almost certainly recover it.

For passwords not in RockYou but predictable (family names + birth year, etc.), generate custom wordlist with crunch or cewl. Example: partner's name + 4 digits = 100k variants in 1 minute.

Mask attacks (when you remember partial pattern)

If you remember part of the password, mask attack is much faster than blind brute force. Example: you know it was 8 chars, started with your name John, ended with a number.

hashcat -m 17200 -a 3 hash.txt John?d?d?d?d

?d = digit 0-9. That tries 10,000 combinations (John0000 to John9999) in milliseconds.

Useful masks:

?l: lowercase a-z (26)
?u: uppercase A-Z (26)
?d: digit 0-9 (10)
?s: symbol !@#$ (33)
?a: any printable ASCII (95)

AES-256: when viable and when not

ZIP with AES-256 is exponentially harder. Key derivation uses PBKDF2 with 1000 iterations, making each attempt ~200x slower than ZipCrypto.

An RTX 3090 does ~700,000 attempts/sec on ZIP AES-256. If the password is:

8 chars random ASCII: 4 million years
12 chars predictable (word+year+symbol): 1-7 days
Known pattern + 4 unknown chars: minutes

The difference is huge. For AES-256, remembering AT LEAST length + char type makes the difference between weeks and centuries.

Professional service: when worth it

If ZIP files are worth more than USD 200 and you barely remember the password, a professional service is worth it. Examples: ZIP with commercial project source code, old wallet.dat backups, notarized legal documents.

Our 5×RTX 3090 GPU cluster processes up to 700M attempts/sec on ZipCrypto and 14M attempts/sec on AES-256. Plus, we have curated wordlists for LATAM cases (AR/MX/ES names + surnames, DD/MM/YYYY date formats, Spanish slang) that drastically reduce keyspace.

We charge USD 35 diagnostic (we tell you real chances before you commit) + 30-40% success fee only if we recover.

Frequently asked questions

How many combinations can my PC test?

An RTX 3090 does ~140M/sec on ZipCrypto, ~700k/sec on AES-256. CPU-only is 10,000x slower — don't try serious brute force without GPU.

Is there a service that guarantees recovery?

No. Anyone GUARANTEEING recovery is lying. Probability depends 100% on password complexity + how much info you have. We offer free diagnostic to evaluate real viability.

Is this legal?

Only if the file is YOURS. Recovering your own files is 100% legal. Recovering others' files without authorization constitutes a crime in most countries (US: CFAA, EU: GDPR-related).

How much is professional service?

USD 35 diagnostic (we tell you real chances). USD 2,000 deep AI Scan (includes ML analysis + intensive GPU cluster). Success fee 30-40% only if we recover.

How long does it take?

ZipCrypto + predictable passwords: minutes to hours. AES-256 + complex passwords: days to weeks. We give honest estimate after diagnostic.

Complex case? We can help

5×RTX 3090 GPU cluster + ML engineer. USD 35 diagnostic, USD 2000 AI Scan, success fee 30-40% only if we recover.

🔐 Wallet Recovery →