Recovery Methodology
Exactly what happens when you upload a PDF — encryption detection, revision classification, recovery path selection, and what "guaranteed" and "Fast Check" actually mean technically.
Step 1: Format and encryption detection
A PDF's encrypt dictionary is never itself encrypted — it has to be readable before a viewer can even attempt to unlock the document. We read the /Encrypt dictionary directly from the file's trailer to classify exactly what we're dealing with, without needing the password:
- /Filter /Standard— confirms the Standard Security Handler is in use (the vast majority of password-protected PDFs; non-standard handlers are rare and out of scope).
- /V and /R— algorithm version and revision. This pair is the single most important signal: it tells us which cipher and which key-derivation function protects the file.
- /Length— key length in bits. Combined with /V and /R, this disambiguates 40-bit from 128-bit RC4.
- /CF, /StmF, /StrF— the crypt filter dictionary and its stream/string filter names (present only in V=4 and V=5). The CFM entry inside /CF (AESV2 or AESV3) confirms AES over RC4 and distinguishes AES-128 from AES-256.
From that dictionary alone we classify the file into one of four Hashcat modes: 10400 (RC4-40, /V 1 /R 2), 10500 (RC4-128, /V 2 /R 3-4), 10600 (AES-128, /V 4 /R 4, CFM=AESV2), or 10700 (AES-256, /V 5 /R 6, CFM=AESV3). This one step determines which of the two recovery paths below applies — and it happens before any password guessing starts.
Path A: 40-bit RC4 guaranteed recovery (mode 10400)
PDFs produced with the original 1996-era Standard Security Handler (/V 1 /R 2) derive their RC4 cipher key by hashing the password down through 50 rounds of MD5 and truncating the result to 5 bytes — exactly 40 bits. That truncation is the whole story: no matter how long or complex the original password was, the final cipher key is drawn from a space of only 2^40 (≈1.1 trillion) possibilities.
That's small enough to search exhaustively on GPU hardware. The key insight is that we attack the cipher key directly, not the user's password — a 4-character password and a 40-character password collapse into the same 40-bit key space, so password complexity has no bearing on whether recovery succeeds. The search covers every possible key in that space regardless of what the original password looked like.
Technical details
- • Hashcat mode: 10400 (PDF 1.1-1.3, RC4-40, Acrobat 2-5 era)
- • Key space: 2^40 ≈ 1.1 trillion keys, exhaustively searchable
- • Attack type: brute force over the finite cipher-key space, not the password space
- • Result: guaranteed recovery, independent of password length or complexity
- • Typical duration on our GPU cluster: 2-6 hours
Full derivation details for mode 10400 — including the exact 50-round MD5 chain and why the 40-bit ceiling exists — are documented on our RC4-40 technical reference page.
Path B: Fast Check for modern AES-128/256 (modes 10600/10700)
Once a file lands in AES-128 (mode 10600, Acrobat 7-9 era) or AES-256 (mode 10700, Acrobat X and later, PDF 2.0), the cipher key space is 2^128 or 2^256 — astronomically beyond exhaustive search on any hardware that exists. There is no shortcut at the cipher level for either. Recovery only works if the underlying password itself is guessable.
Mode 10700's key derivation is the modern one: SHA-256(password || validation salt) as the seed, followed by up to 64 rounds of mixing where each round selects SHA-256, SHA-384, or SHA-512 based on the last byte of the previous output (Adobe Algorithm 2.B, PDF 2.0 / Adobe Extension Level 8). That chain is deliberately slow — roughly 50-100× more expensive per guess than the older MD5×50 chain mode 10600 still uses — which is why Fast Check tests a curated list rather than attempting brute force. See the AES-256 (mode 10700) reference page for the full hash-chain walkthrough.
What Fast Check tests
- • Common dictionary words and phrases
- • Names, dates, and years (documents are often protected around a creation or filing date)
- • Keyboard walks and patterns (qwerty123, 1qaz2wsx)
- • Common number suffixes and symbol substitutions (password123, P@ssw0rd)
- • Mutations of a candidate password if you provide a hint (old passwords, likely words, length range)
- • Hashcat modes: 10600 (AES-128, /V 4 /R 4) and 10700 (AES-256, /V 5 /R 6)
If Fast Check finds the password, you see a verified preview before paying anything. If it doesn't, the password is either rare, strong, or fully random — and any further attempt has to be built around whatever you actually remember about it, not blind brute force of a keyspace that's out of reach.
What we don't claim
- • We don't claim to recover AES-256 PDFs (mode 10700) protected with a strong, genuinely random password. Cryptographically, that's infeasible regardless of hardware, and no amount of GPU time changes that.
- • We don't publish a single aggregate "success rate." It's meaningless outside the context of a specific file's mode and its password's actual strength — a mode 10400 file is effectively guaranteed, a mode 10700 file with a random password is effectively hopeless, and everything else falls somewhere in between.
- • We don't sell "PDF password recovery" that's actually owner/permissions stripping in disguise. Removing a printing or copying restriction is a different problem from cracking an open-password cipher, and we're explicit about which one applies to your file.