Monero GUI Wallet Password Recovery — .keys File Decryption (Hashcat 14100)

Q: Where does Monero GUI store the .keys wallet file?

Monero GUI wallet saves two key files when a wallet is created: a .keys file (contains the encrypted private keys) and a .address file (contains the public address). On Windows they are in the wallet location you chose at creation, on macOS at ~/Monero/wallets/, and on Linux at ~/Monero/wallets/ or the directory you selected. The .keys file is the critical file for password recovery.

Q: What encryption does Monero GUI use for the .keys file?

Monero uses AES-256-CBC encryption for the private spend key and private view key stored in the .keys file. The encryption key is derived from the wallet password using a CryptoNight-based key derivation function. This makes Monero attacks significantly slower than Bitcoin wallet attacks because CryptoNight is memory-hard and was designed specifically to resist GPU acceleration.

Q: Can I recover Monero without the .keys file?

Only if you have the 25-word Monero mnemonic seed. Monero uses its own mnemonic format (not BIP39) based on a 1626-word list. If you have the seed, you can restore the wallet in any Monero wallet without the password. The .keys file is only needed when the seed was lost but the encrypted keys file remains.

Q: Why is Monero password recovery slower than Bitcoin?

Monero's key derivation uses CryptoNight, a memory-hard proof-of-work hash function designed to resist ASIC and GPU acceleration. This means each password candidate requires significant memory and computation, making brute-force attacks 100-1000x slower than PBKDF2-based wallets. A Bitcoin Core wallet (mode 11300) can be tested at ~200 KH/s on an RTX 4090, while a Monero keys file might achieve only 100-500 H/s.

Q: Is there a hashcat mode for Monero .keys files?

Hashcat mode 14100 targets Monero .keys files. It supports both the original MyMonero format and the standard Monero .keys format. Mode 14100 uses CryptoNight-0 (the original CryptoNight variant) for key derivation, followed by AES-256-CBC decryption verification.

Monero (XMR) is the leading privacy-focused cryptocurrency, using ring signatures, stealth addresses, and RingCT to obscure transaction details. Its wallet encryption reflects the same security philosophy — the key derivation uses CryptoNight, a memory-hard hash function purpose-built to resist GPU and ASIC acceleration. This makes Monero password recovery significantly more challenging than Bitcoin or Ethereum wallet recovery.

Crucial: If you have your 25-word Monero mnemonic seed written down, stop now. Uninstall and reinstall Monero GUI, choose "Restore wallet from seed," enter the 25 words, and set a new password. The .keys file and old password are irrelevant — the seed is the master secret for all XMR.

About Monero GUI Wallet

The Monero GUI wallet is the official graphical interface for Monero, developed by the Monero core team. It supports both local (full node) and remote node connections. Key characteristics:

25-word mnemonic seed — Monero uses its own mnemonic system (not BIP39) with a 1626-word list
.keys file — encrypted container holding the private spend key and private view key
CryptoNight KDF — memory-hard key derivation designed to resist hardware acceleration
Subaddress support — unlimited stealth addresses derived from the master seed
Ring signatures + RingCT — transaction privacy through mixins and confidential transactions

Monero wallet encryption details

Parameter	Details
KDF	CryptoNight-0 (memory-hard, ~2 MB per hash)
Cipher	AES-256-CBC (chacha20 in some newer builds)
Key length	256 bits
Encrypted data	Private spend key + private view key
Wallet file format	.keys (binary) + .address (text)
Seed format	25-word Monero mnemonic (1626-word list)
Hashcat mode	14100
GPU speed (RTX 4090)	~500-2,000 H/s

Locating the .keys file

Monero GUI wallet file locations

Windows (default): C:\Users\[Username]\Monero\wallets\
macOS (default): ~/Monero/wallets/
Linux (default): ~/Monero/wallets/

The wallet consists of three files: walletname (the blockchain cache), walletname.keys (encrypted keys), and walletname.address (public address). The .keys file is what you need for password recovery.

Extracting the hash for hashcat mode 14100

Hashcat mode 14100 targets Monero .keys files. You need to extract a hash in the correct format using the monero2john.py tool from John the Ripper's bleeding-jumbo branch:

# Install John the Ripper bleeding-jumbo (or just monero2john.py)
# Extract the hash from the .keys file
python3 monero2john.py MyMoneroWallet.keys > monero.hash

# The extracted hash looks like:
# MyMoneroWallet.keys:$monero$0*4c6f7374204d6f6e65726f...*...*...

# Run hashcat with mode 14100
# Dictionary + rules
hashcat -m 14100 -a 0 monero.hash rockyou.txt \
    -r OneRuleToRuleThemAll.rule -w 3

# Mask attack for partial known passwords
hashcat -m 14100 -a 3 monero.hash "?u?l?l?l?l?l?d?d" \
    --increment --increment-min=6 --increment-max=10 -w 3

# Hybrid: dictionary prefix + brute suffix
hashcat -m 14100 -a 6 monero.hash personal-words.txt ?d?d?d?d -w 3

# NOTE: Due to CryptoNight's memory-hard properties,
# hashcat must allocate ~2 MB per hash instance.
# Reduce -w and avoid running multiple instances for best stability.
# Expect 500-2000 H/s on an RTX 4090 — this is 100-1000x slower
# than Bitcoin Core (mode 11300).

Understanding CryptoNight key derivation

The reason Monero recovery is so much slower than Bitcoin or Ethereum is the CryptoNight hash function. Originally designed for Monero's proof-of-work mining, CryptoNight is memory-hard:

Each hash requires approximately 2 MB of fast memory (scratchpad)
The scratchpad is filled with AES-encrypted blocks, then repeatedly read and written in a latency-sensitive loop
This design makes it resistant to GPU acceleration — GPUs have high memory bandwidth but the latency-bound random-access pattern favours CPUs
Hashcat implements CryptoNight-0 for mode 14100, but performance is limited by memory latency, not compute

Practically, this means that attacking a Monero .keys file is approximately 100-1000x slowerper candidate than attacking a Bitcoin Core wallet.dat. A password that would take 1 day to crack on Bitcoin Core might take 3-12 months on Monero — if it is even feasible at all.

Recovery feasibility

Feasible

• Very short password (4-6 characters)
• Password is a single dictionary word
• You remember 80%+ of the password
• Password was used in other contexts (reused)
• You have the .keys file and good hints

Likely impossible

• 8+ character random password
• No .keys file (only seed or nothing)
• Password manager generated string
• No hints about password structure
• Wallet was created with Monero CLI (different encryption)

Alternative: CPU-based attacks with xmrig

Because CryptoNight is memory-bandwidth and latency-bound, CPU-based attacks can actually be competitive with GPU attacks for this specific hash. The monero2john hash can also be fed to John the Ripper (CPU-only mode) which may perform similarly to hashcat on GPU:

# CPU-based attack with John the Ripper
john --format=monero monero.hash --wordlist=candidates.txt

# Alternatively, use a threaded Python script with monero-python
# to verify passwords directly against the .keys file
python3 << 'PY'
import monero.wallet

# Try passwords directly against the wallet
# (This is slower per-check but uses the official implementation)
wallet_path = "MyMoneroWallet"
with open("candidates.txt") as f:
    for line in f:
        pw = line.strip()
        try:
            wallet = monero.wallet.Wallet(wallet_path, password=pw)
            balance = wallet.balance()
            print(f"PASSWORD FOUND: {pw}")
            break
        except Exception:
            pass
PY

Step-by-step recovery guide

Back up the .keys file. It is the only thing that can be attacked. Without it, you need the 25-word mnemonic seed.
Run monero2john.py against the .keys file to produce a hashcat-compatible hash.
Build a tight candidate wordlist — since each guess is expensive (500-2000 H/s max), every candidate must count. An unfocused wordlist of 10 million words would take hours just to test the base words, never mind rules.
Start with the most likely candidates: short passwords, reused passwords, personal words with year suffixes. Use brute-force mask attacks only as a last resort for very short patterns (4-6 known characters + 2-3 unknown).
Run hashcat mode 14100 on the most powerful GPU available. An RTX 4090 cluster is ideal. Let it run for days or weeks if the password is critical.
If hashcat does not find it, consider professional recovery. We have both GPU and distributed CPU clusters optimised for CryptoNight workloads.

Need Monero recovery help?

Monero is the hardest wallet to recover due to CryptoNight. We have optimised GPU clusters running hashcat 14100 around the clock. Submit your .keys file and get a feasibility assessment — you pay only if we find the password.

Submit Monero .keys Free format check

Important: 25-word seed vs .keys file

Monero uses a 25-word mnemonic seed that encodes the private spend key. This is fundamentally different from BIP39:

You have the 25-word seed

Restore in any Monero wallet (GUI, CLI, Cake Wallet, Monerujo). No password recovery needed. The seed is all that matters for access to funds.

You only have the .keys file

Password recovery via hashcat mode 14100 is the only path. This is computationally expensive (CryptoNight memory-hard KDF). Success depends on password strength and hints.

Related guides

Bitcoin Core wallet.dat recovery — comparison: PBKDF2 vs CryptoNight.
Electrum wallet password recovery — Bitcoin wallet with much faster KDF.
Avoid crypto recovery scams — especially relevant for Monero given the difficulty.

Frequently asked questions

Where does Monero GUI store the .keys wallet file?

In ~/Monero/wallets/ (Linux/macOS) or C:\Users\[Username]\Monero\wallets\ (Windows) by default, or the directory you selected at wallet creation.

What encryption does Monero GUI use for the .keys file?

AES-256-CBC with key derivation via CryptoNight-0 (memory-hard, ~2 MB scratchpad per hash). This is deliberately slow to resist brute-force attacks.

Can I recover Monero without the .keys file?

Only with the 25-word Monero mnemonic seed. Without both the .keys file and the seed, Monero funds cannot be recovered — the CryptoNight encryption is deliberately strong.

Why is Monero password recovery slower than Bitcoin?

Because Monero uses CryptoNight, a memory-hard proof-of-work hash, as its KDF. It requires ~2 MB of fast memory per hash and is latency-bound, making GPU acceleration 100-1000x less effective than for PBKDF2-based wallets.

Is there a hashcat mode for Monero .keys files?

Yes, hashcat mode 14100 supports Monero .keys files. Extract the hash with monero2john.py from John the Ripper's bleeding-jumbo branch.