ZIP File Password Forgotten or Lost
You created a password-protected ZIP but forgot the password, or received an encrypted ZIP without the password.
Last updated
How to Open a ZIP File When You Forgot the Password
Forgetting the password to a ZIP file is frustrating. Here's what you can and cannot do:
What Is Possible
- If you set the password yourself, try common passwords you use: birthdays, pet names, keyboard patterns (qwerty, 123456), and anything you remember typing.
- Dictionary attacks — Desktop tools like 7-Zip with hashcat or Passware Kit can test millions of common passwords automatically. This only works if the password is short or common.
- If you know part of the password, brute-force is faster — tools can mask-attack (try all variations of a partial pattern).
What Is Not Possible
- AES-256 encrypted ZIPs (created by 7-Zip or WinZip 9+) cannot be cracked by any tool currently known. AES-256 is mathematically unbreakable with current hardware.
- ZipCrypto/legacy ZIPs (created by Windows Explorer, older tools) are weaker and sometimes crackable if the password is short.
If You Received the ZIP from Someone Else
Contact the sender and ask for the password. There is no other option for strongly encrypted ZIPs.
Prevent This in the Future
Use a password manager (Bitwarden, 1Password, KeePass) to store archive passwords. Never use a password you might forget.
Advertisement
Frequently asked questions
Can a forgotten ZIP password be recovered?
It depends on the encryption type. Old ZIP 2.0 (used by tools before ~2008) is weak and recoverable by tools like Hashcat, especially with short or common passwords. Modern AES-256 ZIP encryption (WinZip 9+, 7-Zip with AES mode) is very strong — brute-forcing it is practically infeasible for passwords longer than 6–8 characters.
What tools can attempt to recover a ZIP password?
Hashcat (free, GPU-accelerated, very fast), John the Ripper (free, versatile), and commercial tools like Passware Kit or Elcomsoft Advanced Archive Password Recovery. These tools work best with dictionary attacks (trying known words and common variations) rather than pure brute-force.
What if I remember part of the password?
Hashcat supports "mask attacks" where you specify known characters and patterns (e.g., "starts with Capital, ends with 4-digit year"). This dramatically narrows the search space. For example, a password like "Summer2022!" would be found in minutes with the right mask pattern, vs. years with pure brute-force.