In 2006, a well-known IT security forum ran a challenge: recover any data from a hard drive after a single overwrite pass. The prize pool reached over $1,000. No one claimed it. Nearly twenty years later, no one has. Yet millions of people still spend entire days running 7-pass, 35-pass, or even more aggressive multi-pass wipes on their drives, burning through hours of electricity and wear based on advice that was already outdated before the first iPhone was released.
Key Takeaways:
- A single overwrite pass is sufficient to make data unrecoverable on any modern hard drive, per NIST 800-88 guidance
- The DoD 5220.22-M 3-pass standard was designed for 1990s-era drives and has been retired by the DoD itself
- Peter Gutmann publicly stated his 35-pass method is overkill for modern hardware
- A 7-pass wipe of a 1TB drive takes 14-28 hours vs. 2-4 hours for one pass, with no security benefit
- Multi-pass wiping on SSDs is actively harmful, adding wear without reaching all stored data
Where the Multi-Pass Myth Came From
The story begins in 1996, when Peter Gutmann, a computer scientist at the University of Auckland, published a paper titled "Secure Deletion of Data from Magnetic and Solid-State Memory." In it, he described a 35-pass overwrite method designed to defeat sophisticated recovery techniques that could theoretically read residual magnetic signals from hard drive platters.
There is a critical detail that almost everyone who cites the Gutmann method ignores: his 35 passes were designed for specific obsolete drive encoding schemes. The paper targeted MFM (Modified Frequency Modulation) and RLL (Run-Length Limited) encoding methods used in drives from the 1980s and early 1990s. Each set of passes targeted a specific encoding technology — if you were wiping an MFM drive, only a subset of those passes was relevant. The full 35-pass sequence was a shotgun approach covering every encoding type in one run.
Around the same time, the U.S. Department of Defense maintained its 5220.22-M standard, which specified a 3-pass overwrite process for sanitizing drives containing classified information. The original process wrote a character, then its complement, then a random character, verifying after each pass. Through a combination of misinterpretation, IT folklore, and the natural human tendency to err on the side of caution, the "3 passes" gradually inflated to 7 in common practice. Some interpretations ran the 3-pass cycle twice and added a final random pass. Others just picked 7 because it felt safer.
Neither Gutmann nor the DoD intended their recommendations to apply to modern hardware. But by the early 2000s, "7-pass DoD wipe" had become the default advice in IT departments, security blogs, and software interfaces around the world.
Why Multi-Pass Made Sense in the 1990s
To understand why Gutmann's approach was reasonable for its time, you need to understand how older hard drives stored data.
Early hard drives used analog recording methods with relatively low areal density — roughly 1 to 10 megabits per square inch. The magnetic transitions that represented data were large and spaced far apart. When new data was written over old data, the previous magnetic signal was not perfectly eliminated. A faint residual trace of the old signal remained alongside the new one, like a palimpsest where old text shows through beneath new writing.
With specialized equipment like a magnetic force microscope (MFM), a skilled technician could theoretically measure these residual traces and reconstruct the original data. Gutmann's multiple passes, each using carefully chosen bit patterns, were designed to neutralize these residual signals across different encoding schemes.
The DoD's 3-pass approach operated on a similar principle: overwriting with a value, its complement, and then random data would make any residual signal analysis significantly more difficult.
On a 40MB or 200MB drive from 1996, running 35 passes was also not that painful. The whole process might take an hour.
Why Multi-Pass Is Pointless on Modern Drives
Modern hard drives bear almost no resemblance to their 1990s ancestors in the ways that matter for data recovery.
Areal density has exploded. Today's drives pack over 1 terabit (1,000,000 megabits) per square inch — roughly 100,000 times denser than the drives Gutmann was writing about. At this density, the magnetic domains representing individual bits are so small that any residual signal after a single overwrite is indistinguishable from noise. There is simply no physical mechanism to read the previous state of a bit through the new data.
Recording technology has changed completely. Modern drives use PRML (Partial Response Maximum Likelihood) read channels, perpendicular magnetic recording (PMR), and now shingled magnetic recording (SMR) or heat-assisted magnetic recording (HAMR). These technologies make the analog residual-signal analysis that Gutmann's method was designed to defeat physically irrelevant.
The research confirms it. Craig Wright, Dave Kleiman, and Shyaam Sundhar published a study in 2008 examining data recovery after overwriting on modern drives. Their findings were definitive: the probability of recovering a single bit after one overwrite was approximately 56% — barely better than a random guess. Recovering a complete byte (8 bits in a row) dropped to less than 1%. Recovering any meaningful quantity of data — a file, a document, an email — was statistically impossible.
NIST SP 800-88, the current authoritative guidance for media sanitization used by U.S. federal agencies and widely adopted globally, makes this explicit. A single overwrite pass with a fixed data value (such as all zeros) meets the Clear sanitization level for hard drives. No multi-pass procedure is required or recommended.
Bottom Line: One pass is enough. The science, the standards, and twenty years of failed recovery attempts all agree. Every additional pass is wasted time.
The Real Math: What Multi-Pass Costs You
The performance penalty for multi-pass wiping is not trivial. The time to overwrite a hard drive scales linearly with the number of passes because each pass must write to every addressable sector on the drive.
Here is what a typical 1TB SATA hard drive at 120 MB/s sustained write speed looks like:
| Passes | Method | Time (1TB HDD) | Time (4TB HDD) |
|---|---|---|---|
| 1 | NIST 800-88 Clear | 2-3 hours | 8-12 hours |
| 3 | DoD 5220.22-M (original) | 6-9 hours | 24-36 hours |
| 7 | DoD 5220.22-M (inflated) | 14-21 hours | 56-84 hours |
| 35 | Gutmann | 70-105 hours | 280-420 hours |
That last row is not a typo. A Gutmann 35-pass wipe on a 4TB drive can take over two weeks of continuous operation. For a drive that needs to be wiped before recycling, that is two weeks of electricity, two weeks of equipment tied up, and two weeks of a drive spinning under heavy load — all for zero security improvement over a 3-hour single pass.
For enterprise environments wiping dozens or hundreds of drives, the math is even worse. An IT department processing 50 drives through a 7-pass wipe instead of a single pass turns a 2-day project into a 2-week project for zero security gain.
Gutmann Himself Says Stop
Perhaps the most compelling argument against the 35-pass method comes from Peter Gutmann himself. In an epilogue he later added to his original paper, he wrote:
"In the time since this paper was published, some people have treated the 35-pass overwrite technique described in it more as a kind of voodoo incantation to ward off evil spirits than the result of a technical analysis of drive encoding techniques... For any modern PRML/EPRML drive, a few passes of random scrubbing is the best you can do."
Gutmann explicitly acknowledged that his method was misunderstood and misapplied. The 35-pass sequence was never intended as a universal prescription. It was an academic exercise covering every known encoding type of its era, and it stopped being relevant when those encoding types disappeared from the market.
Why Software Vendors Still Offer Multi-Pass Options
If one pass is enough, why does every disk wiping tool still offer 3-pass, 7-pass, and 35-pass options? The answer is a mix of marketing psychology and procurement inertia.
Customer expectations. People associate more passes with more security. It feels intuitively true — if one coat of paint covers a surface, surely three coats cover it better. This analogy does not hold for data overwriting, but it drives purchasing decisions. A tool that only offers a single-pass option looks less capable next to one advertising "DoD-certified 7-pass erasure."
Legacy compliance checklists. Many organizations have security policies written a decade ago that specify DoD 5220.22-M by name. Updating a corporate policy requires committee reviews and executive sign-off. It is often easier to keep running the 7-pass wipe than to push a policy update — even when the policy references a standard the DoD itself has abandoned.
No downside for the vendor. Offering multi-pass options costs a software developer nothing. It does not make the product worse, and it gives sales teams another bullet point. There is no incentive to remove a feature that some customers specifically search for.
The SSD Problem: Multi-Pass Is Actively Harmful
Everything discussed so far applies to traditional spinning hard disk drives. For solid-state drives, multi-pass wiping is not just pointless — it is counterproductive.
SSDs store data in NAND flash cells organized behind a flash translation layer (FTL). The FTL acts as an intermediary between the operating system and the physical storage cells, remapping writes to ensure even wear across the drive. This process, called wear leveling, means that a software overwrite command has no control over which physical cells get written to. When you overwrite a file, the SSD may write the new data to a completely different set of cells, leaving the original data intact in the old cells.
SSDs also maintain over-provisioned space — extra capacity not accessible to the operating system. No software-based overwrite, whether one pass or thirty-five, can reach into the over-provisioned area.
Running multiple overwrite passes on an SSD therefore does three things, all bad:
- Burns through write cycles. NAND flash cells can only be written a finite number of times before they wear out. Unnecessary write passes shorten the drive's lifespan.
- Takes longer. Just like with HDDs, each pass multiplies the total time.
- Still does not erase all data. The fundamental problem — wear leveling and over-provisioning — persists regardless of pass count.
For SSDs, the correct approach is a firmware-level command: ATA Secure Erase, NVMe Sanitize, or a cryptographic erase (which destroys the encryption key, rendering all data on the drive unreadable). These commands operate below the FTL and address all cells, including over-provisioned areas. Read our SSD secure erase guide for the step-by-step process.
What You Should Actually Do
For HDDs, use a single-pass overwrite with a recognized tool. DBAN is free and effective for personal use. BitRaser provides certified erasure reports for business and compliance needs. Both support single-pass NIST 800-88 compliant wipes. Select the single-pass option, let it run, and move on.
For SSDs, skip software overwriting entirely and use firmware-level erasure commands, either through your drive manufacturer's utility or through a tool like BitRaser that supports ATA Secure Erase and NVMe Sanitize.
For a complete walkthrough, see our guide to wiping a hard drive or our breakdown of how many passes you actually need.
Frequently Asked Questions
Is a 7-pass wipe more secure than a 1-pass wipe?
No. On any hard drive manufactured in the last two decades, a single overwrite pass renders data unrecoverable with current or foreseeable technology. Additional passes do nothing but waste hours of time. The DoD itself no longer references the 5220.22-M multi-pass standard, and NIST 800-88 explicitly confirms that one pass is sufficient.
Where did the 7-pass wipe myth come from?
The myth stems from a misinterpretation of the DoD 5220.22-M standard, which originally specified a 3-pass overwrite for classified data on 1990s-era drives. The number 7 became common through a game of telephone as vendors and IT departments padded the number for extra safety. The DoD has since retired this standard entirely.
Did Peter Gutmann say his 35-pass method is unnecessary?
Yes. In an epilogue added to his original 1996 paper, Gutmann explicitly stated that performing a full 35-pass overwrite on a modern drive is pointless. His method was designed for specific older encoding technologies (MFM and RLL) that no longer exist. He recommended a few passes of random data at most for current hardware.
How long does a 7-pass wipe take compared to a single pass?
A single-pass overwrite of a 1TB hard drive takes roughly 2 to 4 hours. A 7-pass wipe takes 14 to 28 hours for the same drive — seven times longer with zero additional security benefit. A 35-pass Gutmann wipe can take 3 to 5 days on a 1TB drive.
Does NIST recommend multiple overwrite passes?
No. NIST SP 800-88 Rev. 2 (September 2025) specifies a single overwrite pass with a fixed data value for the Clear sanitization level on hard drives. The publication explicitly notes that multi-pass overwriting is unnecessary for modern storage media.
Should I use multiple passes when wiping an SSD?
Absolutely not. Multiple overwrite passes on an SSD cause unnecessary wear to the flash cells without improving security. SSDs use wear leveling and over-provisioning, which means software overwriting cannot reach all stored data regardless of how many passes you run. SSDs require firmware-level commands like ATA Secure Erase or NVMe Sanitize instead.
Why do data erasure tools still offer multi-pass options?
Primarily because of customer expectations and legacy compliance policies. Many IT departments and procurement specs still reference the DoD 5220.22-M standard or Gutmann method by name, even though both are obsolete. Software vendors include these options to satisfy purchasing checklists, not because they provide any real security advantage.
Can data be recovered after a single overwrite pass?
No, not with any known technology. Research by Wright, Kleiman, and Sundhar (2008) demonstrated that recovering even a single bit after one overwrite yields only a 56% probability — a coin flip. Recovering a full byte drops below 1%. Recovering any usable file is statistically impossible on modern high-density drives.
The Bottom Line
The 7-pass and 35-pass wipe are relics of a technological era that ended decades ago. One overwrite pass is all you need for any modern hard drive. Save yourself 12-24 hours per terabyte, use a single-pass tool like DBAN or BitRaser, and spend that reclaimed time on something that actually matters for your security posture.
Last updated: February 2026. We regularly review and update our guides to ensure accuracy.
Sources:
- Gutmann, P. "Secure Deletion of Data from Magnetic and Solid-State Memory," Sixth USENIX Security Symposium, 1996. https://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html
- NIST Special Publication 800-88 Rev. 1: Guidelines for Media Sanitization. https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final
- Wright, C., Kleiman, D., Sundhar, S. "Overwriting Hard Drive Data: The Great Wiping Controversy," ICISS 2008. https://link.springer.com/chapter/10.1007/978-3-540-89862-7_21
- U.S. Department of Defense. DoD 5220.22-M, National Industrial Security Program Operating Manual. https://www.esd.whs.mil/portals/54/documents/dd/issuances/dodm/522022m.pdf
- NIST SP 800-88 Rev. 2: Guidelines for Media Sanitization (September 2025). https://csrc.nist.gov/publications/detail/sp/800-88/rev-2/final
