ZIP, RAR & 7z Archive Password Recovery: The Complete Technical Guide

1. Understanding Archive Encryption: Why Format Matters More Than You Think
2. Hashcat Modes and Real-World GPU Speeds for Each Archive Format
3. Hash Extraction: zip2john, rar2john, and 7z2john Explained
4. Attack Strategies: Dictionary, Rules, and Brute-Force — Choosing the Right Approach
5. Practical Recovery Scenarios: Forgotten Passwords, Legacy Backups, and Forensics
6. How OnlineHashCrack Recovers Your Archive Password: The Upload Workflow
7. Further Reading and Resources
8. Frequently Asked Questions

Before attempting any password recovery, you must understand that the archive file format and the encryption algorithm it uses are the two variables that dictate everything — attack feasibility, tool selection, and expected recovery time. Treating all password-protected archives the same is the single biggest mistake users make.

• ZIP archives exist in two fundamentally different encryption modes. Legacy PKZIP (also called ZipCrypto or classic ZIP encryption) uses a stream-cipher-based scheme (RC2/RC4-derived) that is fast to attack and cryptographically weak. WinZip AES-encrypted ZIPs use AES-256 with a salt and are a completely different beast — far slower to crack and much more resilient.
• RAR archives also come in two generations. RAR3 (produced by WinRAR versions prior to 5.0) uses AES-128 combined with a custom key derivation function. RAR5 (WinRAR 5.0+) upgrades to AES-256 and PBKDF2-SHA256 with a high iteration count, making it significantly more resistant.
• 7-Zip archives (.7z) use AES-256 combined with SHA-256 for key derivation. The iteration count is adjustable but defaults to a high value, placing 7z among the most resistant formats to brute-force attacks.

Even a cryptographically strong format can be defeated if the password itself is weak — a short word, a simple pattern, or a dictionary term. Conversely, a random 12-character password on a RAR5 archive is practically unrecoverable with current hardware. Understanding this spectrum helps you set realistic expectations before investing computational resources.

The format also determines which hashcat mode applies, which extraction tool is needed, and what attack strategy gives the best probability of success. These decisions cascade from format identification, which is why correct identification at step one is non-negotiable.

Hashcat is the industry-standard GPU-accelerated password recovery engine. Each archive format maps to a specific hashcat mode number, and the cracking speed varies dramatically across formats. The figures below are measured on an NVIDIA RTX 5090 and represent a realistic upper bound for single-GPU consumer hardware in 2025.

At 1.5 billion hashes per second, a legacy PKZIP archive protected by an 8-character lowercase password contains roughly 200 billion combinations — exhausted in under 3 minutes on an RTX 5090. A dictionary attack with a 10-million-word list finishes in milliseconds.

At 100,000 hashes per second for RAR3 or 7z, that same 8-character lowercase keyspace takes approximately 23 days of continuous GPU time. A 10-character mixed-case alphanumeric password is computationally infeasible to brute-force with any current single GPU. This is not a limitation of the tool — it is the intended effect of the key derivation function.

A ZIP file does not guarantee legacy encryption. WinZip, 7-Zip, and modern archivers default to AES-256 when creating password-protected ZIPs. Mode 13600 (WinZip AES) runs at roughly 3,750 times slower than mode 17200 (PKZIP). Submitting a WinZip AES hash to a PKZIP attack will produce zero results — the hash format is incompatible. Correct identification is mandatory. For full benchmark data, see the OHC RTX 5090 Hashcat Benchmark.

Hashcat does not operate on archive files directly — it operates on extracted hash strings that represent the encrypted password verification data. The extraction step is handled by the John the Ripper companion utilities: zip2john, rar2john, and 7z2john. These tools parse the archive header, extract the cryptographic material needed for attack, and output a formatted hash string.

For a ZIP file, run:

The output will contain a line beginning with the filename, followed by the hash type identifier ($pkzip$ for legacy or $zip2$ for WinZip AES) and the cryptographic parameters. You then feed the relevant portion to hashcat with the correct mode flag:

or for WinZip AES:

RAR extraction follows the same pattern:

The hash prefix $rar3$ indicates RAR3, while $rar5$ indicates RAR5. These map to modes 12500 and 13000 respectively. Attempting to crack a RAR5 hash with mode 12500 will fail silently — the hash format will not match.

The resulting hash begins with $7z$ and contains the compression method, number of KDF cycles, and the encrypted data sample. This maps to hashcat mode 11600.

Manual hash extraction requires command-line familiarity and correctly installed John the Ripper utilities. OnlineHashCrack handles the entire extraction pipeline server-side. You upload the raw .zip, .rar, or .7z file, and OHC automatically identifies the format, selects the correct extraction tool, determines the hashcat mode, and queues the job. No local toolchain required — which is particularly valuable for IT admins and forensic analysts working from standard workstations without GPU resources.

The right attack strategy depends entirely on what you know (or can guess) about the original password. A systematic approach saves enormous amounts of GPU time and significantly increases your probability of success. There is no single best strategy — there is only the best strategy for your specific scenario.

For any archive format, always start with a dictionary attack. The RockYou wordlist (~14 million entries) is the baseline. For professional audits, augment with SecLists password collections, industry-specific wordlists, or wordlists derived from known leaked databases. Even on RAR5 and 7z — where speeds are low — a 10-million-word dictionary completes in under 2 minutes on an RTX 5090 at 150,000 H/s. Most forgotten passwords are real words, names, years, or combinations thereof.

• Recommended for: All formats as a first pass
• Particularly effective on: Legacy PKZIP (trivially fast)
• Still worth trying on: RAR5, 7z (short run time relative to potential payoff)

Hashcat rules apply transformations to dictionary entries — capitalizing first letters, appending numbers, substituting characters (e.g., a→@, e→3). The best64.rule set and OneRuleToRuleThemAll are popular choices. Rules multiply the effective dictionary size by hundreds of variations per word, dramatically increasing coverage without the cost of a full brute-force run.

If you remember the password structure — for example, a word followed by a 4-digit year, or a company name followed by a symbol — a mask attack is extremely efficient. Hashcat mask syntax uses character set placeholders:

• ?l = lowercase letter
• ?u = uppercase letter
• ?d = digit
• ?s = special character

A mask like ?u?l?l?l?d?d?d?d covers patterns like Word2019 — a common real-world password structure. On legacy PKZIP, this mask completes in milliseconds.

Full brute-force (exhaustive keyspace search) is only viable for short passwords on fast formats like PKZIP. For RAR5 and 7z, brute-force beyond 6 characters is computationally prohibitive with any realistic GPU cluster available today. Do not invest resources in blind brute-force on strong KDF formats — direct your effort toward intelligent dictionary and rule-based attacks instead.

Archive password recovery is not a single-use-case problem. The technical approach should be adapted to the specific scenario, the available information, and the legal context. Here are the three most common real-world situations and how to approach each one.

This is the most common case. You created the archive yourself months or years ago, and the password was something you chose — which means it reflects your own password habits. This is a significant advantage. Think about:

• Passwords you commonly used at the time
• Names of people, pets, or places meaningful to you
• Years, dates, or numeric patterns you favor
• Combinations like a word + a number

Build a custom wordlist from these candidates before running a generic dictionary attack. Even a 50-word custom list with rule transformations will outperform a 10-million-word generic list if your actual password is in it. Submit the archive to OHC along with any custom wordlist entries in the job notes.

Organizations frequently accumulate password-protected archives from departed employees, retired systems, or undocumented backup procedures. These archives often use older formats — ZIP or RAR3 — created with tools that defaulted to legacy encryption. This is actually good news: older archives are statistically more likely to use PKZIP or RAR3, which are dramatically faster to attack than modern AES formats.

In this scenario, check the archive creation date against the tool version in use at the time. An archive created in 2005 with WinZip 9 is almost certainly PKZIP or early WinZip AES, not RAR5. An archive with a .rar extension created before 2013 is likely RAR3. Format identification tools like file on Linux or 7-Zip's info panel will confirm the encryption type before you invest GPU time.

Forensic analysts working on authorized investigations routinely encounter password-protected archives containing potentially evidential data. In this context, the attack strategy should be documented and reproducible. Use hash extraction tools to capture the hash before any recovery attempts, preserve the original file with hash verification (SHA-256 of the archive file itself), and record all attack parameters used. OHC's job history provides an audit trail of submitted hashes and recovery attempts, which supports chain-of-custody documentation.

In forensic contexts, even a failed recovery attempt is valuable — it documents that strong encryption was in use and that the password was not trivially guessable, which itself can be relevant to an investigation.

OnlineHashCrack is a GPU-accelerated cloud password recovery service built for authorized cybersecurity professionals. For archive recovery, OHC provides a streamlined workflow that eliminates the need for local GPU hardware, toolchain setup, or manual hash extraction.

1. Navigate to the upload page at /index.php. OHC accepts .zip, .rar, and .7z files directly — you do not need to extract the hash yourself.
2. Upload your archive file. OHC's server-side pipeline runs the appropriate extraction tool (zip2john, rar2john, or 7z2john) automatically, identifies the encryption format, and selects the correct hashcat mode.
3. Select your attack configuration. Choose from dictionary attacks (standard wordlists or custom uploads), rule-based attacks, or mask attacks based on what you remember about your password.
4. Submit and monitor. OHC's GPU cluster processes your job. You receive a notification when recovery is complete or when the job exhausts the configured attack strategy.

• Automatic format detection (PKZIP vs WinZip AES, RAR3 vs RAR5, 7z variant)
• Correct hashcat mode assignment — no risk of mode mismatch
• Hash extraction using maintained, up-to-date John the Ripper utilities
• GPU-accelerated cracking across the full attack pipeline
• Result delivery with the recovered plaintext password

OHC will be transparent about recovery probability. Legacy PKZIP archives with dictionary-based passwords are highly recoverable. WinZip AES and RAR3 are feasible for short or dictionary-based passwords. RAR5 and 7z with strong, random, long passwords are among the most resistant formats in existence — OHC will attempt recovery but will not misrepresent the probability of success for these formats. No service can crack AES-256 with a strong KDF and a truly random long password — the mathematics make it infeasible regardless of hardware.

Compliance notice: OnlineHashCrack requires that all submitted files and hashes belong to the submitting user or that the submitting user has explicit written authorization to perform recovery testing. Recovery services are for authorized, legitimate data recovery only. Unauthorized access to protected data is illegal.

• Hashcat Wiki: Attack Modes and Options — hashcat.net
• NIST SP 800-132: Recommendation for Password-Based Key Derivation — NIST
• 7-Zip Format and Encryption Specification — 7-zip.org
• WinZip AES Encryption Technical Details — WinZip Support
• ZIP / RAR / 7-zip Archive Hash Extractor
• Password Cracking Guide 2025: 5 Latest Techniques
• How to estimate cracking duration for an exhaustive bruteforce
• Details about Wordlist Attacks
• Mask Attack Mastery: Craft Smart Patterns Fast

OnlineHashCrack accepts .zip, .rar, and .7z files directly, automatically extracts the hash server-side, identifies the correct hashcat mode (17200, 13600, 12500, 13000, or 11600), and runs GPU-accelerated dictionary, rule, and mask attacks on its RTX-powered cluster.