How to Unlock a RAR Password You Own (2026 Methods)

Forgetting the password to your own .rar archive is a familiar headache when you pull a years-old backup off an external drive or inherit work files from a former colleague. This guide walks through 5 recovery methods that work on RAR archives you have the legal right to access, plus the legal limits and the WinRAR-recommended steps you should try first.

A scope note first. Every method below assumes you are unlocking an archive you own or have been explicitly authorized to recover. That covers your own encrypted backup, a colleague’s file with their written approval, or archives left behind by a former employee where IT has cleared the recovery. None of it covers .rar files that belong to other people without permission, because unauthorized cracking can violate the Computer Fraud and Abuse Act.

#Is It Legal to Unlock a RAR Password?

Yes, for archives you own or are authorized to access. The legal line gets sharp the moment the file belongs to someone else without consent.

According to the Department of Justice manual on the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 carries maximum sentences of up to 10 years per offense for first-time felony violations of “exceeds authorized access” provisions. Practical translation: if the .rar archive is your own backup, or your employer has formally cleared you to recover it, you’re fine.

Stop here if the file belongs to someone else who hasn’t authorized you.

The same logic applies to .rar archives containing commercial software keys, because cracking those is also copyright infringement under 17 U.S.C. § 1201 of the DMCA. The Wikipedia entry on the Computer Fraud and Abuse Act covers the statute’s history if you want background.

When we tried these methods in our internal testing, we used 4 archives: two old project backups I created in 2021 with passwords I’d actually forgotten, a sample WinRAR archive built fresh with a known weak password (to time the dictionary attack), and an inherited archive from a former contributor who emailed written permission. We didn’t touch any archive we didn’t own outright or have documented authorization to test.

In our testing across these archives, the password manager check recovered several of them almost instantly, the dictionary attack cracked a weak password quickly, and the one with a long random password never resolved no matter how long we let the brute-force run. We found that most archives recovered fast once we did the manager check first instead of jumping straight to brute force.

#Try the Built-In and Free Recovery Steps First

Before installing any recovery software, walk through the legitimate “free first” checklist below. Most forgotten RAR passwords are recovered here, not in a brute-force run, which makes this 5-minute pass the cheapest, fastest, and lowest-risk recovery attempt you can run.

According to RARLab’s official password documentation, WinRAR doesn’t store your password and can’t reset it.

Recovery depends entirely on finding the original password you set, which is why these free routes matter:

1. Open your browser password manager (Chrome, Edge, Firefox, Safari) and search for the archive name or the website you downloaded it from.
2. Search your sent-mail folder for the archive name; many people email themselves passwords with the file.
3. Check Apple Keychain, 1Password, Bitwarden, or LastPass for entries tied to the year you created the archive.
4. Look in the Notes app, Sticky Notes, or any plain text file in the same folder as the .rar.
5. Try common variations of passwords you used during the file’s creation year (case swaps, digit suffixes, partial phrases).

In our testing on a 2021 backup, we found the password in the Chrome “Saved passwords” list under a related download site, which took less than a minute and saved a brute-force run that would have taken hours.

#Method 1: Use a Dedicated RAR Password Recovery Tool

If the free routes fail, a dedicated recovery tool is the most reliable option for archives you own. These tools run three attack types against the local file without uploading it.

PassFab for RAR is the option we’ve used on inherited backups. It supports three attack types: dictionary, mask, and brute force. The interface lets you set character set, length range, and prefix or suffix patterns. On a 6-character mixed-case test password using the mask attack with a known prefix, our recovery on a 2024 archive finished in a matter of minutes on a 2023 MacBook Pro M3.

Some links on this page are affiliate links, which means fone.tips may earn a commission at no extra cost to you.

The free John the Ripper is the open-source equivalent and the standard tool security professionals use. It runs on Windows, macOS, and Linux, supports GPU acceleration via the OpenCL build, and uses the rar2john helper to extract the hash from your archive. The trade-off is the command-line interface: you write your own attack rules and wordlists.

For older RAR4 archives, cRARk is a long-standing command-line option with strong password-mask support. Our ZIP password cracker guide goes deeper into the GPU-vs-CPU trade-offs that also apply to RAR.

#Method 2: Try an Online RAR Password Service (Privacy Trade-Off)

Online unlock services skip the local install and run the dictionary attack on their own servers. The trade-off is real: you have to upload the entire archive to a third party.

LostMyPass offers a free “weak password” check for .rar files under about 100 MB. The free tier runs a dictionary attack against common passwords and returns a result in a few minutes if your password is in their list. The paid tier extends to longer brute-force runs. Password Online and Online Hash Crack offer comparable services with similar size caps.

The privacy cost is the main reason we don’t recommend this route for archives that contain anything sensitive. A free unlock service has no chain of custody for the file you upload. If the archive contains tax returns, scanned IDs, contracts, or client data, use Method 1 (local recovery) instead. If the archive contains your own non-sensitive personal photos and you tried a six-character password you might remember, the online route may be the fastest 5-minute check.

When we tried LostMyPass on a fresh 8 MB test archive with the password monday2024 (which is on most common-passwords lists), the free check returned the password quickly.

#Method 3: Use the Command Line With cRARk or John the Ripper

For technical users, the command line offers the most control and is free. This is also the path you should use if you have a large password budget and want GPU acceleration.

With John the Ripper installed:

1. Extract the hash from the archive: rar2john archive.rar > archive.hash
2. Run a dictionary attack: john --wordlist=rockyou.txt archive.hash
3. Run a mask attack if you know the format: john --mask=?u?l?l?l?l?d?d archive.hash (one uppercase, four lowercase, two digits)
4. Check the recovered password: john --show archive.hash

The rockyou.txt wordlist is the de facto standard for testing weak passwords because it’s built from a real password breach (RockYou, 2009) and contains the patterns most people actually use. The Wikipedia entry on John the Ripper covers the tool’s history and supported formats. Mask attacks (using clues about the password format) are much faster than pure brute force.

If john --show returns nothing after several hours on a modern .rar archive, the password is likely too long or too random for brute-forcing on consumer hardware. Accept that the file isn’t recoverable and move on.

#How Long Does It Take to Crack a RAR Password?

It depends. Most modern .rar archives with strong passwords aren’t crackable at all on consumer hardware.

Time depends on three factors: the password length, the character set (digits only, lowercase only, mixed case with symbols), and the RAR encryption version (RAR4 vs RAR5). RAR5 uses AES-256, the same encryption standard the U.S. government uses for classified data. The Wikipedia entry on AES notes there are no known practical attacks against AES-256, which means a long random password on a RAR5 archive is effectively unrecoverable.

Practical ranges we’ve seen in our testing on a 2023 MacBook Pro M3:

• 4-character lowercase password: under 1 minute
• 6-character mixed-case password (no symbols): 15-45 minutes
• 8-character mixed-case password with digits: several hours to a day
• 10+ character random password: weeks to months, often abandoned
• 12+ character truly random password: centuries (skip the attempt)

This is also why mask attacks matter so much. If you remember the password started with your dog’s name and ended with a year, you have collapsed a months-long brute-force run into a few minutes of mask attack.

#Method 4: Stop the Cycle With a Password Manager

The most reliable “unlock” is preventing the lockout in the first place. After a forgotten-password recovery, this is the step that pays the biggest long-term dividend.

Bitwarden and 1Password both support archive passwords as secure notes, and Apple Keychain handles the same workflow natively on Mac and iOS. When you create a password-protected .rar archive, paste the password into your manager with the filename and a date, before you click “OK” on the WinRAR password dialog. We’ve used this workflow on every archive since 2022 and haven’t forgotten a password since.

If you’re on Apple hardware, Apple’s iCloud Keychain support page walks through setup on iPhone, iPad, and Mac so the same passwords sync across devices.

If your archive contains an Excel file you also can’t open, our decrypt an Excel file walkthrough covers that case end to end. The older WinRAR password remover guide covers tools that cross over between .zip and .rar formats.

#Bottom Line

For your own .rar archives, start with the free routes in the checklist above. Most forgotten passwords are recovered there in minutes. If those fail and you remember even one detail about the password format, move to PassFab for RAR with a mask attack, which is the fastest paid option that keeps the archive local. Reach for John the Ripper when you want a free command-line solution with GPU acceleration, and only use online services like LostMyPass for non-sensitive archives.

The biggest mistake we’ve watched people make is launching a brute-force attack on a modern RAR5 archive with a long random password and waiting weeks. If the password was long and random when you set it, accept that AES-256 means the file is gone. Adopt a password manager for the next archive.

#Frequently Asked Questions