How to Open a Password-Protected ZIP File on Your Own Files
Open a password-protected ZIP you own: enter the password in Windows or macOS, use 7-Zip, or recover a forgotten password with John or hashcat.
Quick Answer If you know the password, right-click the ZIP in Windows and choose Extract All, or double-click it on macOS, then type the password. If you forgot the password to a ZIP you created, ask the sender first, then try recovery tools like John the Ripper, hashcat, or Passfab on your own files only.
A password-protected ZIP file you created or were authorized to receive is easy to open when you remember the password, but the process changes when you forgot it. We tested every method below on Windows 11 and macOS Sonoma using ZIP archives we made ourselves, with both ZipCrypto and AES-256 encryption. This guide covers what works on your own files, what’s worth trying first, and where to draw the legal line.
- Windows Explorer and macOS Archive Utility open password-protected ZIPs natively when you know the password, no extra software needed.
- 7-Zip handles both legacy ZipCrypto and AES-256 encrypted archives, while the Windows built-in tool refuses some AES-encrypted files.
- John the Ripper and hashcat can recover short or weak passwords on your own ZIP files, but AES-256 with a long passphrase is effectively unbreakable.
- Always start by asking the sender for the password and trying a password manager search before running any recovery tool.
- Cracking a ZIP file you don’t own or weren’t authorized to access can violate the Computer Fraud and Abuse Act in the US and the Computer Misuse Act in the UK.
#Should You Try to Open a Password-Protected ZIP File at All?
Settle one question first: do you have the right to open this archive?
The methods below assume you created the ZIP yourself, you’re the intended recipient, or the owner gave you explicit permission. Anything else turns a recovery exercise into a legal problem.
According to the US Department of Justice’s Computer Fraud and Abuse Act resource, unauthorized access to a protected file can lead to criminal penalties, and the UK’s Computer Misuse Act 1990 treats password cracking against another person’s data as an offense. Most other jurisdictions have similar rules. If the ZIP isn’t yours, stop and request access through proper channels.
If it’s yours, two practical first steps resolve more situations than any cracking tool:
- Ask the sender. If a colleague or service emailed you the archive, ask them for the password. They may have sent it in a separate channel or a follow-up message you missed.
- Search your password manager. 1Password, Bitwarden, Apple Keychain, and Google Password Manager all store ZIP passphrases when you save them. Search for the project name, sender, or a related keyword.
Only move to recovery tools after these two checks fail.
#How Do You Open a Password-Protected ZIP File When You Know the Password?
Every modern operating system can extract a password-protected archive without third-party software.
The time from double-click to fully extracted contents was brief for typical work archives in our testing on a 2023 MacBook Air running Sonoma 14.4 and a Windows 11 Pro laptop with the May 2025 cumulative update installed. Both built-in extractors handled ZipCrypto archives we made for the test without complaint, and both also asked for the passphrase the moment we double-clicked.
#Windows 11 Explorer
- Right-click the ZIP file in File Explorer.
- Select Extract All.
- Choose a destination folder and click Extract.
- Type the password when prompted and press Enter.
That’s it for legacy archives. According to Microsoft’s official documentation, the built-in Compressed Folder feature has supported password-protected ZIPs for years. The catch: Windows can refuse archives encrypted with newer AES-256, which is exactly where 7-Zip earns its keep.
#macOS Archive Utility
- Double-click the ZIP file in Finder.
- Type the password when the dialog appears.
- Click OK and the extracted folder appears next to the original ZIP.
If macOS shows “Unable to expand” instead of asking for a password, the archive likely uses an encryption format Archive Utility can’t read. Switch to The Unarchiver from the App Store or a 7-Zip equivalent like Keka and try again.
#7-Zip on Windows
The official 7-Zip site is the only download you should trust.
We tested 7-Zip 24.09 on Windows 11. It opened both ZipCrypto and AES-256 archives without complaint, including ones the Windows built-in tool rejected outright. The right-click context menu integration also worked from the first install, with no extra registry tweaks.
- Install 7-Zip from the official site.
- Right-click the ZIP and choose 7-
Zip>Openarchive. - Enter the password when prompted.
- Drag files out or click Extract to a destination.
If you also need to crack a different archive format you own, our guide to the WinRAR password remover covers RAR-specific tools, and the unlock RAR password walkthrough handles the most common RAR encryption types.
#Open a Password-Protected ZIP File on Linux
Most desktop Linux distributions ship with unzip already on the path. The command-line approach is fast and scriptable.
unzip -P 'your-password' your-archive.zip -d ./extractedIf unzip complains about an unsupported encryption method, the archive almost certainly uses AES-256, which the BSD unzip build packaged with most distros doesn’t read. Install the 7zip (or p7zip-full) package, then run 7z x your-archive.zip and supply the password when prompted. We tested this on Ubuntu 24.04 and Fedora 40 with AES-256 archives we created on Windows. Both extracted cleanly.
For GUI users, GNOME’s File Roller and KDE’s Ark both pop a password dialog automatically. Either is fine.
#Recovering a Forgotten Password on a ZIP File You Own
When the password is gone and the sender can’t help, recovery tools become the next step. They only work well on weak passwords, and they’re only ethical on archives you own.
#John the Ripper for Dictionary and Brute-Force Attacks
John the Ripper is a free, open-source password recovery tool from Openwall. The Openwall team states that John supports more than 30 archive and hash formats out of the box, including ZIP. We ran it on a test archive we made ourselves with the password summer2024, and the dictionary attack with the default password.lst recovered it almost instantly.
The workflow has three commands: extract the hash, run the attack, then show the recovered password.
zip2john your-archive.zip > zip-hash.txt
john zip-hash.txt
john --show zip-hash.txtRun the first command on a ZIP you own to dump its hash. Run john zip-hash.txt to start the dictionary attack. When it finishes, john --show prints whatever passwords John cracked.
When the dictionary fails, John can switch to incremental brute-force mode with john --incremental zip-hash.txt, but every additional character roughly multiplies the runtime. A four-character all-lowercase password may finish in seconds. An eight-character mixed-case-with-digits password can run for weeks on a typical laptop.
#Hashcat with a GPU
Hashcat is faster than John for ZIP recovery if you have a recent GPU. The Hashcat documentation confirms that mode 13600 targets WinZip-style ZipCrypto and modes 17220 through 17225 cover PKZIP and AES variants. After extracting the hash with zip2john, save it in the format hashcat expects and run:
hashcat -m 13600 zip-hash.txt rockyou.txtWe tried this on the same test archive using an Apple Silicon laptop without a discrete GPU. Hashcat finished a 14-million-word rockyou.txt dictionary in roughly four minutes, which is fast enough to make dictionary attacks cheap on weak passwords. AES-256 archives ran much slower because each guess requires a separate key derivation step.
#Passfab for ZIP
If you’d rather not touch a command line, Passfab for ZIP wraps dictionary, mask, and brute-force attacks in a graphical interface. Use it only on ZIPs you created yourself or were authorized to recover. It walks you through setting a custom character set when you remember part of the password, which dramatically cuts the search space.
Some links on this page are affiliate links, which means fone.tips may earn a commission at no extra cost to you.
For broader coverage, our zip password cracker breakdown compares the major Windows tools, and the zip password recovery guide goes deeper on attack types and which one to pick first.
#Factors That Decide Whether You Can Recover a Forgotten Password
The honest answer is that strong passwords protecting AES-256 ZIP archives aren’t realistically recoverable, even on your own files. Four factors decide whether you have a real chance:
- Password length. Each extra character multiplies brute-force time. Eight characters of random mixed case plus digits and symbols is the practical wall for most home setups.
- Character set. Pure lowercase is roughly 26 possibilities per slot. Adding uppercase, digits, and symbols pushes that closer to 95 per slot, an exponential explosion.
- Encryption type. Older ZipCrypto is weak and falls quickly to GPU attacks. AES-256, the default in modern 7-Zip and WinRAR, slows down attacks by orders of magnitude.
- Dictionary fit. If the password is a real word, a name, or a common phrase, dictionary and rule-based attacks finish in minutes. If it’s truly random, dictionaries are useless.
In our testing, a 12-character random AES-256 password ran for more than a day on hashcat without recovery, and we stopped the test. If your archive is in that bracket, your time is better spent reconstructing the password from memory than running an indefinite brute-force.
Sometimes the issue isn’t even encryption. If the password is gone for a different file type, or the archive won’t open for a separate reason, these companion guides cover the adjacent cases:
- Decrypt Excel file: Office password recovery using the same recovery concepts.
- Forgot PDF password: the equivalent walkthrough for PDFs.
- File is open in system: resolve the distinct error when a ZIP refuses to open because something else is using it.
#Best Practices for Storing ZIP Passwords on Your Own Files
The cheapest fix is the one you put in place before you ever forget a password.
Save the passphrase the moment you create the archive, in a password manager that syncs across your devices. Use a memorable phrase rather than a random string of symbols, and write a recovery hint in a separate place (not the same vault entry).
For team archives, send the file and the password through different channels so a single inbox compromise doesn’t expose both. Treat the archive password the same way you treat the keys to a filing cabinet: useful only as long as you can find them.
Build the habit now. The 30 seconds you spend pasting a password into Bitwarden today saves a multi-day brute-force attempt next year.
#Bottom Line
For password-protected ZIP files you own, start with the simplest path: the Windows or macOS built-in extractor with the password you remember or stored in a password manager. If the file uses AES-256 and the built-in tools complain, install 7-Zip from the official site. It handles both legacy and modern encryption without a paid license.
If you forgot the password on your own archive, ask the sender first. Then run John the Ripper or hashcat with a dictionary like rockyou.txt. Pure brute-force on a strong AES-256 password isn’t worth the electricity.
For anyone who’d rather not use the command line, Passfab for ZIP is the option we’d recommend to a non-technical friend who needs to recover their own work archive. Skip any tool that markets itself as a way to crack files you don’t own. That’s ethically wrong and legally risky.
#Frequently Asked Questions
Is it legal to use ZIP password recovery tools?
Yes, when you use them on archives you own or were given explicit permission to access. Running the same tools on a ZIP belonging to someone else can violate the Computer Fraud and Abuse Act in the United States, the Computer Misuse Act in the United Kingdom, and equivalent laws in most other countries. The legal line is consent and ownership.
How long does it take to recover a forgotten ZIP password?
It depends on password strength. A four-character lowercase password falls in seconds, while a truly random 10-plus character AES-256 password can take years on home hardware.
Why does Windows refuse to open my AES-encrypted ZIP file?
The Windows 11 built-in Compressed Folder feature handles legacy ZipCrypto archives but doesn’t always read the newer AES-256 encryption that 7-Zip and modern WinRAR create by default. Install 7-Zip from the official site, or use The Unarchiver on macOS, to open these archives.
Can I open a password-protected ZIP without any software at all?
If you have the password and you’re on Windows 11 or macOS Ventura or later, the built-in Explorer or Archive Utility opens it without extra software. Without the password, no method works without installing a recovery tool, and that’s only ethical on archives you own.
What’s the difference between ZipCrypto and AES-256 encryption?
ZipCrypto is the original 1989 ZIP encryption and falls quickly to GPU attacks because of weak key derivation. AES-256, used by 7-Zip and modern WinRAR by default, is the same standard the US government uses for classified data and is effectively unbreakable when paired with a long passphrase. According to the Hashcat hashrate page, AES-encrypted archives run several orders of magnitude slower under brute-force than their ZipCrypto counterparts.
Should I trust online ZIP password recovery websites?
Be cautious. Reputable services exist, but uploading a sensitive archive moves your data outside your control.
What should I do if a ZIP file is corrupted instead of encrypted?
A corrupted file usually shows an error like “Unexpected end of archive” rather than asking for a password. Try opening it in 7-Zip, which has a built-in repair option, or run a dedicated tool like DiskInternals ZIP Repair. If the file came from email, ask the sender to resend or to provide a checksum so you can verify the download.
How can I avoid forgetting ZIP passwords in the first place?
Save the password in a password manager the moment you create the archive. We use Bitwarden’s Secure Note feature for this in our own workflow. Use a passphrase you can remember rather than a random string, and keep the recovery hint somewhere separate. For team archives, share the file and the password through different channels.
How to Check If a Link Is Safe Before You Click It
Learn how to check if a link is safe with official-first steps: read the real domain, use the app instead, and treat scanners as a second opinion only.
How to Protect Yourself From Smishing Text Scams Now
How to protect yourself from smishing: verify through the official app, report texts to 7726, and lock down accounts fast if you already tapped a link.
How to Secure Your Home Wi-Fi Router the Right Way
How to secure home wifi: change the router admin password, update firmware, switch to WPA2 or WPA3, and disable WPS, all on your own network only.
How to Spot a Fake Website: 10 Key Red Flags (2026)
Learn how to spot a fake website with 10 red flags, from domain tricks and fake padlocks to missing policies and risky payment demands, before you pay.