I've written (and have been improving I hope) a password recovery tool for a while now, and it includes support for Armory (that was the first wallet it supported as a matter of fact). You can find it here (it's open source):
https://github.com/gurnec/btcrecover; the quick start is here:
https://github.com/gurnec/btcrecover/blob/master/TUTORIAL.md#btcrecover-tutorialAlthough it's not the easiest to use, it is fairly well documented, and it doesn't required that you send your wallet information to anyone else if that's a problem (if you run it offline, of course).
It's also probably faster than any alternative -- it's multi-threaded, so if you have a quad-core CPU, it'll run about four times faster than most alternatives. It also supports GPU-accelerated searches, although it's not very effective on that front for Armory.
*Instead of directly encrypting the private key with the user passcode, we could encrypt the private key with a long random key, which is encrypted with the user passcode. When a user forgot the passcode, he may pay other people to brute-force the random key, without the risk of losing bitcoin.
That would be
excellent. Of all of the
wallets currently supported by btcrecover, Armory is the
only one where I couldn't find a way to extract enough information from a wallet file to test for passwords
without putting funds at risk.
Armory encodes private keys as 32-bit blobs with
no padding (which is not a weakness by any means, just an inconvenience when it comes to this particular task). Every other wallet I've encountered so far offers some form of "trick" that allows me to extract only a portion of a private key (or a hash thereof) for password testing purposes. For example, many wallets add PKSC7 padding to the end, which allows me to extract just 16 bytes of key material (50%) plus the (useless) 16-byte padding in order to search for passwords. Others encode their passwords in hex or base58 prior to encryption, which allows a similar trick of extracting only a portion of any private key/seed material. It's not that Armory is inferior for being more concise (by not including padding and by using binary instead of unnecessary encoding) -- it's just that it's the only wallet I've encountered so far where you need an entire private key to test for password validity.
*** It depends a whole lot on your GPU memory size and the KDF parameters used during wallet creation to determine whether or not GPU-based acceleration can help in password searches. Armory's excellent use of ROMix makes GPU acceleration hard (even with btcrecover's time-space tradeoff), so a GPU might help by a factor of 5x or so, or it might not help at all....
** which in combination with the (unencrypted) chaincode and master public key does put funds at risk