Advanced Intuit Password Recovery (AINPR)

Advanced Intuit Password Recovery, or simply AINPR, is a program to recover passwords to files created in Intuit Quicken (*.qdt, *.qdb, *.qdf), Quicken Lawyer (Portfolios, *.pfl and *.bfl) and QuickBooks (*.qba, *.qbw). Multilingual passwords are supported. Quicken versions 4 through 2005 and QuickBooks versions 3 through 2005 are supported. Note: for Quicken 2002 and QuickBooks 2003/2004/2005, only short passwords can be recovered, but passwords containing 4 or more characters can be instantly removed. For Quicken 2003/2004/2005, only brute-force and dictionary attacks are available.

Requirements :
· Windows 98, Windows ME, Windows NT 4.0, Windows 2000, Windows XP or Windows Server 2003
· about four megabytes of free space on hard disk

Simply select the file you want to recover the password for: press the Open document... button and browse for it. If the given file is corrupted, or used by another application, or passwords are empty – appropriate error message will be displayed. Otherwise, the program automatically recognizes the file type and works accordingly.

For QuickBooks files (*.qba or *.qbw) created in versions of QuickBooks up to 2002 (incl.), password recovery is instant, but for some very large files the program may work a few seconds until the password(s) will be shown. If you have a slow CPU (like Pentium 200) and less than 32 megabytes of memory, the process may take up to a few munites.

Please note that starting from version 6/98, QuickBooks can have multiple "accounts", i.e. pairs of user name and password. AINPR recovers all of them, but may show the "phantom" accounts as well – the ones which don't actually exist (i.e. have been already deleted). Just ignore them. All you actually need is a password of "Admin" user, which is being recovered in any case.

In QuickBooks 2003/2004/2005, protection is much stronger – the passwords are not stored in the data file anymore. First, AINPR tries (using the brute-force approach) to find the short passwords (not longer than 3 characters; containg latin letters, digits and punctuation marks only) – it usually takes a few seconds. Then, for all users that have the rights to open the file, the program shows password information: either the password itself (if it is short), or if the given user has an empty password, or if password contains four or more characters. As already noted, long passwords cannot be recovered, but can be removed: to clear the password of any given user, highlight the user name and press Remove long password button at the bottom of the window. After confirmation, the password for that user will be removed, and the program will create a backup copy (*.bak) of QuickBooks file (you can remove more than one password during the session – multiple backup files will be created (*.bak, *.bak1, *.bak2 etc).

Password for any QuickBooks account can be copied into the Clipboard using Copy password to Clipboard button (and so you can paste that password into QuickBooks by pressing Ctrl-V or Ctrl-Ins).

Please note that the program has been tested on all US versions of QuickBooks, and some Australian, Canadian, German, New Zealand and UK versions. Support for all non-US versions is not guaranteed.

When Quicken file (*.qdi, *.qdb or *.qdf) is opened by AINPR, in most cases, the password returned by the programis not the same as the original one set in Quicken. That's just due to the nature of encryption algorithm used in Quicken, and we cannot do anything with that. However, the password returned by AINPR will work just fine on the given Quicken file. For your convenience, AINPR allows to copy the password (when found) into the Clipboard, and so use Ctrl-V or Ctrl-Ins to paste it into the proper place in Quicken. In addition, it is printed in the HEX form – that might be useful if it contains non-latin letters.

If the given Quicken file has the transaction password set, AINPR will show it as well (it is being encrypted the same way as the file password).

Note: for Quicken 2002 and 2003/2004/2004, the password encryption (and so program functionality) is different – please read next chapters for details.

Please also note that the program has been tested on all US versions of Quicken, German versions 2002 and through 2005, and some Canadian, Australian, New Zealand and Spanish versions. Support for other (non-US) versions is not guaranteed.

In Quicken 2002 (US and Canadian), protection has been seriously improved, and in most cases, password cannot be recovered at all in a reasonable time. For such files, however, AINPR allows to remove the password from the file, so Quicken will open resulting file without any problems.

Transaction password in Quicken 2002, however, is encrypted the same way as in older versions, so AINPR will recover it regardless the existance of file password.

For German, Australian and NewZealand versions of Quicken 2002/2003/2004/2005, protection is similar to one used in Quicken 2001 (US), so password can be still recovered instantly.

In Quicken 2003, 2004 and 2005 (US), protection is even stronger. Most of file's content is encrypted, and in order to decrypt it, valid password is supplied. The password itself is not stored in the Quicken file, even encrypted – instead, only password's hash is available. So in order to get access to the file, the original password must be recovered.

When AINPR opens password-protected file created in Quicken 2003/2004/2005, if offers to run brute-force and dictionary attacks on it – these are the only methods that could help to recover such strong passwords.


Dictionary attack is the most effective one. With itBrute-force attack, you may try every word in a dictionary or multiple-dictionaries until your password is found. This method is popular because it is well known that many people use common words as passwords. Dictionaries with hundreds of thousands of words, as well as specialist, technical and foreign language dictionaries are available, as are lists of thousands of words that are often used as passwords such as "qwerty", "abcdef" etc. Simply select the desired dictionary file (use the […] button to browse for it); also, you can select a Smart mutations option– it may really help if you're not sure about the register the password has been typed in. For example, if the next word in the dictionary is "PASSword", AINPR will try the following commonly-used modifications:

PASSword (as is)
passWORD (reversed)
password (all lower case)
PASSWORD (all upper case)
Password (first uppercase, rest lowercase)
pASSWORD (first lower case, rest uppercase)
PaSSWoRD (elite: vowels in lc, others in uc)
pAsswOrd (noelite)
PaSsWoRd (alt/1)
pAsSwOrD (alt/2)

In a brute force attack, the program tries to guess your password by trying every single combination of characters until your password is found. For example, the program might follow a sequence like this:

"aaaaaaaa"
"aaaaaaab"
"aaaaaaac" ...

until the password is found. Obviously, this method will take time, for an eight character lowercase alpha password there are 200 Billion combinations to be checked. But with modern computers this sort of attack doesn't take as long as you might think. The brute force attack is the slowest method of password attack, but can often be successful on short and simple passwords.

For brute-force attack, you have to select the character set (i.e. what symbols have been used in the password); you can choose from capital letters, small letters, digits, space and special symbols such punctuation marks. Besides, you should set the desired password length (minimum and maximum). If Autoincrement if failed option is selected, but the password will not be found in specified range, the program will automatically adjust the maximum length and continue the attack.

The status of brute-force attack is being saved automatically, so when/if you will restart the program or just the attack, recovery will be resumed from the point you stopped it on.

As already noted, Quicken 2003/2004/2005 uses really strong encryption. Always start Quicken 2003/2004/2005 password recovery with dictionary attack, trying different dictionaries and wordlists; and if it fails, try the brute-force attack (if both attacks are selected in the program, the program will run the dictionary attack first, and will continue with a brute-force one if the password will not be found on the first stage.

Recovery speed is not very fast – on Pentium 4 at 2.4 GHz, AINPR tries only about 1000 passwords per second. This is quite enough for dictionary attack even if very large wordlist is being used, but brute-force recovery time dramatically increases with the password length. The practical limit of brute-force attack is only 4-5 characters; but 6-character or longer passwords cannot be recovered with this attack in a reasonable time.







Home page URL : http://www.elcomsoft.com/ainpr.html