Forgot Keystore password, thinking of Brute-Force detection. will it corrupt the keystore?

Asked 27/5, 2011 at 8:12 Answered 29/9, 2017 at 5:38

I recently realized that I have lost the password to my keystore (or perhaps the keystore got corrupted somehow)

It keeps giving me the error: Keystore tampered or password incorrect

I created an (quite unoptimized) algorithm to Brute-Force the password by letting it run all the night. However, I am not sure how many unsuccessful password attempts will lock the keystore down.

Does anyone know anything like this?

UPDATE
The algorithm I devised works okay (I am using Java), but I realized that normally, the Keystore tool asks for the password only when I press enter. but to get the brute-force to work, I would want it to have a switch and accept password in the same line. is it possible?

Calfskin answered 27/5, 2011 at 8:12 Comment(7)

You obviously aren't the first person with this problem. I don't think brute forcing damages or locks the keystore. See below for a thread on google groups about it. It even has some hints on "good" brutefroce tactics. groups.google.com/group/android-developers/browse_thread/thread/… – Implicate 27/5, 2011 at 8:15

Can't you just copy the keystore? Then even if brute-forcing did break it, you could just put the original back. – Sluggard 27/5, 2011 at 8:49

I already have the copy. I just don't want to be wasting time and processing power if it gets locked after a number of attempts, while I'll be making thousands of unsuccessful attempts – Calfskin 27/5, 2011 at 9:43

You almost set me high :P , I thought this group post had solved it, but later I realized that I already have read it, even went through the JKS code to understand how does it store the password. since it hashes the password, it also didn't help a lot – Calfskin 27/5, 2011 at 9:44

Here is my guided brute forcing script in Python (2.6). You have to have some idea about the password fragments and your password encoding choices. The code is easy to customize in this regard, see the comments. Saved me once. gist.github.com/2143870 – Dasie 21/3, 2012 at 2:41

I ran into this same problem, so I wrote a JAVA based solution given that I usually use some form of the same segments. It helped get me my password back so I could release an update, I called it KeystoreCracker, maybe it will help you too! github.com/jeffers102/KeystoreCracker – Carmina 2/7, 2012 at 23:12

You should try npmjs.com/package/keystore-password-recovery – Belen 24/10, 2019 at 11:14

Sharing my experience after trying everything available.

1- Smart word list attack from android-keystore-password-recover is what eventually worked for me after spending a day trying different lists. Unfortunately, it does not support multithreading and I couldn't get it to run faster than 30,000 trials/second. I might contribute multithreading support to project soon.

2- KeystoreBrute was the best for brute-force attack at 320,000 trials/second. However, if you do the numbers, it will take 3.5 days for 6 characters long password and 177 days for 7 characters long.

3- If you only need to crack the keystore password, but not the certificate password (also referred to as the alias password), this tool will just changes it for you.

Good luck!

Brenda answered 25/4, 2013 at 17:43 Comment(0)

No amount of password attempts will corrupt the key.

I was having this same issue. I solved the problem by creating my own keystore brute force application.

here is a link to the github repository for this code.

https://github.com/volure/keystoreBrute

Anyone on the planet may use this or add to it.

It Works on the basis of Password segments.

My password was like

foo@543Pass

so I added all the possible segments

foo Foo FOO

and so on. Then ran through the items like an odometer.

Its crude code but hard coded to work on up to 5 segments.

My attempt was successful. Hope yours is too.

Scofflaw answered 15/9, 2011 at 23:7 Comment(8)

I've downloaded the stuff. and it seems like it will only run on a windows platform configured for .net; is it true? I also couldn't find any readme file to explain the usage of this smart app. could you please explain. I am currently on mac. – Calfskin 21/9, 2011 at 9:55

I tried your stuff out on a windows machine. Awesome work I must say. Sorry I forgot to explore the bin folder, there's a GUI app there! I'll give it a shot as soon as I reach home. thanks man! :) – Calfskin 21/9, 2011 at 12:18

sometime I will look into expanding the app to macintosh. But I cant make any guarantees with Work and time constraints... the C# app was relatively easy tho. Im glad you were able to get some use out of it :) – Scofflaw 21/9, 2011 at 17:7

it should work in mono however. If you look into putting the mono environment on mac you can open it with the mono command. You may need to change the command line it executes tho as it is expecting the c:\. But it may grab the correct directory. I cant say however since I rarely use .net in mac. – Scofflaw 21/9, 2011 at 17:9

No Problem. Its currently trying to BruteForce on a windows XP machine. I don't know how long its gonna take. plus, I also need to get used to how your algorithm works to be able to provide it with better segments. will it work for more than 5 segments? A very good job I must say buddy. – Calfskin 22/9, 2011 at 6:1

It will. But its hard coded. Look for the section that says int part1 = -1; int part2 = -2; and so on. Those are the indexes of the parts. Right below that is the method that increments them like an odometer. Add more parts.... as many as you like. Just bear in mind. the more parts, the longer it will take. That is why I use 3 or 4 semi word or memorable number segments. All my passwords are like that. This way I can get back to them should I lose them. – Scofflaw 22/9, 2011 at 10:15

what if I really have no idea what password I used, because I used a password generated by a program: it will be some random string of characters, and I don't know the specific length. How would I make segments for that? – Instead 11/2, 2012 at 4:7

that would be more a character by character segment list. – Scofflaw 13/2, 2012 at 20:23

No, brute-forcing will not corrupt the keystore. However, one thing to note, if you are trying to manually guess the password using the Android Studio or Eclipse wizards, even if you enter a wrong password is provided, even just once, it keeps saying on next attempts: "Keystore tampered with or password incorrect", even if you provide the correct password. To get around this, just close and re-open the wizard.

P.S. If the intent behind asking this question is that you have forgotten your keystore password, then you can try the steps mentioned in the Android keystore password recovery guide.

Rese answered 24/7, 2016 at 11:57 Comment(1)

I experienced same issue. Run clean task before the assembleRelease task. – Alby 28/3, 2019 at 1:33

-2

No need to use any keystore-password-recover method it take so many days for recover any some time it's not work so you should replace Your keystore with new keystore no need to remove you app from play store, without removing apk you can update your apk using new keystore file it’s Possible now, After May 2017 you can Update your app if you lost your keystore or keystore password. Don’t lose Hope you can update your app using new Keystore file please refer this http://geekcodehub.com/blog/ new Keystore Certificate update on playstore Hub here i wrote how to update apk if you lost your keystore follow the step and create new keystore , I updated my app using this step. you need to enable google play app signing on play store console

Phone answered 29/9, 2017 at 5:38 Comment(1)

Correct the link please – Calfskin 3/10, 2017 at 15:7

Recommended topics

Hot tags