AxCrypt Brute Force Introduction and Background

AxCrypt does not contain any backdoors. With a reasonably good password, it’s not practical to try all possibilities because it just takes too long time. Trying *all* possibilities, even when AES-128 has been used instead of the stronger yet AES-256, will take longer than the lifetime of the universe.

However, if the number of passwords to try can be narrowed down, then it is possible to do a search through that list of possibilities. Say for example that you are really sure that the password is the word ‘secret’ followed by 4 digits but you just can’t seem to recall the digits. This is possible to try.

We have made a program that can do certain types of variable password searches like the example above. It’s not intended for general consumption, as it’s a bit technical and has no user interface design whatsoever. It’s just function. But it’s not restricted either, so we’ll provide it on an as-is basis to anyone requesting it by sending an email to .

Remember – this page is the only support we’ll be providing. We cannot answer any further questions. Our suggestion is that you create a test-file with a known password similar to what you think you know for your real situation, and then run the provided software with parameters similar to your real case to verify that it does find the password for the test-case, and that you understand how the software works.


The program is a single executable, named something like AxBruteForce- . When you start it, you get a simple UI where you can browse for a file to try passwords for, a text field where you can write your password pattern, a radio button selector to chose how the password pattern should be used and checkboxes for what version of AxCrypt files to try for.


There’s also a clickable link to open the log file in a text editor. This will show you all the passwords tried, and can be useful to understand how the program works, and that it really has tried the variants you were expecting.

The only tricky part is to understand how the password pattern is used.

Word ordering and capitalization

This mode will interpret the pattern as a number of ‘words’ to include or not and concatenate and with or without capitalization.

For example:

brute force

will try:


Limited regex char class

This mode will interpret the pattern as a very limited form of regular expressions. Any character not typed as part of a [] character class construct will just be used as-is in that position.

Variations can be introduced with character classes. These take the form of [ characters ] optionally followed by a ‘?’.

The characters inside [ ] will be tried, one after another. If it is followed by a ?, a try with the character excluded will also be made.

As a special case, [a-z] or [\w] means a, b, c, …, z and [\d] means 0, 1, 2, …, 9 .

For example:


will try:


Test Sample

Here is a test file, encrypted with a password that we think consist of the words ‘brute’ and ‘force’, possibly capitalized followed by 4 digits.

Suggestions to try are:

Word ordering:

brute force 1984

Limited reg ex:

[bB]rute[fF]orce19[\d]?[\d]? (if you know that it’s at least two digits 19 plus zero, one or two unknown digits)


[bB]rute[fF]orce[\d][\d][\d][\d] (if you just know as above the words ‘brute’ and ‘force’, possibly capitalized followed by 4 digits).

Use the ‘Log File’ button to understand just what passwords are tried by a given pattern.


That’s all folks! We will not support you further. You are on your own. Good luck!