Back in the old days when we only just started up we had no direction on where we should be going and what we should do. We had no analysis tools to find out what recovery tools are in demand and we had no research info on what recovery was possible.
Over a year ago we bought a skype password domain in the hope that we would develop and upload Skype Password Recovery tool to the site. This was a very careless move. Little did we know that… Skype produces a hash of the user password and uses that hash to authenticate/store the login info locally (hash is transferred over the secure channel to authenticate).
As Fabrice Desclaux and Kostya Kortchinsky tell us in their paper, Skype uses MD5 hash of “username\nskyper\npassword” to authenticate. The same hash is stored in the config.xml file (C:Documents and settings Windows Username Application data Skype SkypeUsername config.xml). In fact, this MD5 hash is then encrypted using AES and SHA-1 before being stored in the config.xml.
To put what the above means in simple words, there is no 100% guaranteed algorithm to decrypt Skype password. Bruteforce and dictionary attacks are the only methods. Both of them are timely and only have the potential with the password of up to 8 characters.
Update: some vendors have started to offer the bruteforce program to crack Skype passwords. But what these vendors don’t say is that it will take 16 months to decode a 6 character password on a very good machine. If we take into account the Moore’s law it is clear that even with the new processors coming out, in two years time you will be able to decode the same 6 character password twice as fast which means in 8 months!
Very often users set their passwords to anything longer than 7 characters so this program is useless in cases when the password is 7 characters or longer.
Clearly, for any Skyper even 8 months is not an option.
Thus, we have decided not to develop any Skype password decoders based on bruteforce algorithms.