Forgot Password but not Entirely, does a Dictionary Attack Exist for Cryptomator?

Cryptomator for Linux, version 1.5.15.

Have been leaning into the password box for days, manually repeated too many itterations most likely and began feeling defeated. If there were some script to streamline the process, I could generate a wordlist with a good chance of unlocking my vault. Unfortunately I started using Cryptomator when it first became available on mobile a year ago, which doesn’t have the recovery text option like the desktop versions. Didn’t start using the desktop linux version until months later, unaware it could be copied from there after unlocking vaults.

Somebody please help me unscrew myself.

Hey and welcome to the Cryptomator Community :slightly_smiling_face:,

Maybe you can work with the CLI version of Cryptomator:

This could speed up the process but due to our key derivation function (Scrypt) this will intentionally still take time.

Yes, we still need to implement this to our mobile apps! I’m sorry that you found out this way that there is a recovery function and therefore can’t use it :slightly_frowning_face:.

1 Like

Hello, nice that I got a response. :slight_smile:

It’s ok if it takes time, even an entire minute per password attempt. Could cryptomator-cli be fed a list of possible matches against a cryptomator.masterkey file?

While browsing for answers I came across a message board called gitter where @overheadhunter made it seem like there was a solution to this automation obstacle. Maybe they have an idea?

Not that I’m aware of because this tool is designed to mount a vault to which you actually know the password but you could create a shell script and do something like divide and conquer: use a list of possible passwords, divide those entries to different terminal instances or maybe even physical PCs and let each of them try to unlock the vault, entry by entry (multiple unlocks simultaneously per terminal should be possible too) of the splitted list.

That sounds like a solution, in theory. I don’t know how to give life to a script with that function. How would I let each of them try to unlock the “masterkey” file? Sorry for leading you in a goose chase, but I have never writen a script in my life.

@SailReal @overheadhunter

Can one of you please help me here. I don’t need someone to do it for me, or write me a script. Point me in the right direction, that’s about it.

A script that calls onto what program? hashcat? What would take a computer a couple of hours (in my case) has already taken me days. I have generated and divided several lists into even smaller ones. What I do need help with now is interpreting the information inside cryptomator.masterkey; how do I structure / feed this information to that tool?

Try and empathize a bit. I know most of the password and the pieces I can’t remember are limited to a handful of characters.



I have an idea where you need to start.
Under >this link< you find enough resources with which you will be able to achieve your goal.

Really funny, did you come up with it all by yourself? Embarrassing this forum to make a lazy joke instead of being helpful.

The lenghts you went not to give me a straight answer, why even bother to comment? Try and be nicer to people sometimes. Just because I can’t write a script doesn’t mean I lack the wherewithal or technical prowess to follow instructions. For example, an archlinux install is simple enough using its wiki. May not know it all, but scripts aren’t necessary if you can stick to its guides.

Lastly, “scripting” doesn’t automagically solve this issue: what execution would this “script” automate in order to achieve this “divide and conquer” solution?

Sigh, I’m sorry for the cheap joke.

You are in a difficult situation, i understand, but you also don’t want to put effort into solving it.

From my personal view, every one can follow instructions, there is nothing difficult about it. In your case there is no manual, documentation or wiki entry you can follow. So either someone gives you it or you have to figure out it yourself. And the latter can be done, like @SailReal pointed out with scripting. You even mentioned, that one should point you in the right direction.

A more concrete plan for you would look like:

  1. Understand a little bit of bash scripting (reading files, variables, executing & chaining commands, check return values, working with strings)
  2. Achieve to run cryptomator-cli and understand its usage
  3. Read in your password list, pass every password to the cli and wait if unlock is successful

For the divide and conquer solution, additional knowledge of bash scripting is needed, maybe you should even think about using a different programming language.

For your topic question: There exists no dictionary attack for Cryptomator.

1 Like

It’s good that you understand where I’m coming from, but I have dedicated effort with many variables and combinations over several days. This could have been averted had there been a recovery option on the Android app (like on desktop) from the beginning. That’s when I first started using Cryptomator, sometime last year. Worked great until I forgot a part of my password this year, just disappeared from my brain overnight.

Not necessarily Cryptomator, moreso scrypt which according to architecture documentation is what would need to be “attacked”. It’s the reason why I mentioned hashcat since scrypt is one of the hashing applications supported by it. What I’m failing to understand is what inside cryptomator.masterkey would I need to run hashcat against.

The tool itself is fairly efficient and will take wordlists like mines, among others.

I don’t think you would get anywhere with hashcat, see:

I vaguely remember that there was indeed a user that was in a similar situation and tried to brute-force his password. But that’s so long ago and I don’t know if we have any scripts anymore that we can re-use for your purpose, at least I couldn’t find anything.

Probably, the “easiest” way would be to use one of our libraries like cryptolib because it already implements the masterkey derivation we would need for a brute-force attempt. Otherwise, you would somehow need some code that can run scrypt and RFC 3394 key wrapping. But yeah, that requires some coding.

We’ll look into it, can’t promise you a quick solution as the others have already stated. In the meantime, try the following script:

while read pw; do
  echo "--- TRYING: $pw"
  java -jar cryptomator-cli-0.4.0.jar --vault vault=/Users/saibot/Dropbox/Vault --password vault="$pw" --bind --port 8080
done <pwlist.txt

And have a file called pwlist.txt next to script with one password each line. The script is kind of “dumb” but if you hit a correct password, the script will “pause” at that password and the last entry of --- TRYING: <pw> is then the password you were looking for.


I’ve implemented a tool that avoids unnecessary work and makes use of all available CPU cores. Will be published tomorrow. Approx 20 guesses per second on a 2020 MacBook with 2.0 GHz i5 Ice Lake CPU.

Update: Here is a first usable version:


Well damn, for one moment I was hopeless and had no solution and the next I have two. One of which apparently maxes out hardware and is efficient, hard to believe what my eyes are seeing.

Eagerly awaiting tomorrow’s arrival.

4 posts were split to a new topic: How to install the required JDK

At first I thought “My laptop can definitely do better than that”, then the “Guesses per second” started dwindling down to embarrasing 10’s. My computer felt old for a moment, realized an i7-8650U was a poor-man’s 11th-gen i3 or an even poorer-mans Ryzen. Didn’t even bother comparing it to Ryzen 5, much less Ryzen 7.

As a contrast, anyone can spend about $500, or even $400 on select dates, and score significantly superior hardware. Thanks to your script I’ve become self-conscious about my taste in laptops. Optimal ram, cooling, and storage; none of it has made a difference so far. If this laptop could sweat I would be up to my neck in salty tears.

Question Lol: How does it inform end-users it’s found the correct password? Will it fail to run unless JRE 11 is present? Don’t want to inadvertedly harm performance.

If you see the “Guesses per second” output, you can be sure that the cracker is running and that there is nothing wrong with the JRE.

If the correct password was found, the cracker will stop and output a “Success: …” line.

Did you use the .jar file or the precompiled binaries? The former will have a significantly higher throughput due to optimizations done by Java’s JIT compiler. The latter doesn’t require a Java installation and starts faster (which should be insignificant for this kind of workload).

scrypt is designed to be hard to compute (usually you wouldn’t want someone to be able to bruteforce into your data). What you’re doing here is essentially crypto mining…