Outlook .PST security.. or i should say: the lack thereof

I always knew the password protection of a .pst file of Outlook was weak, but i never took the time to find out how weak. And it’s horrible! 😈

I like to point you to the website of Nirsoft, who explains how terrible the security is;

” The password is not really saved in the pst file. Instead of saving the real password, Outlook creates a 32-bit hash value that represents the original password. The algorithm that is used to generate this number is just a CRC32 algorithm with a little modification. CRC32 is mostly used to verify data integrity, but from unknown reason, Microsoft decided to use it for password protection instead of using a strong hashing algorithm, like MD5 or SHA-1.

The bad thing about using a CRC32 algorithm for saving a password is the fact that for each 32-bit number, there are a lots matching passwords. Which means, that if you set a password on your pst file, you can also open it with many other passwords that match the same CRC value.

For example, if you set the password ‘1234’ to your pst file, you can also open it with the following passwords: ‘yZdHpA’, ‘hkNkwC’, ‘YUWqKD’, ‘FkbbpH’, ‘WZHAwJ’, and much more…

Don’t believe it ? Just try it, and you’ll find out that it’s true ! ”

Let me just say I think its’ better to not offer a password protection than a real bad one. It gives users a false sense of protection, which is worse than offering no protection *in my opinion). You can argue I, as a IT pro should have known this. But i didn’t, assuming setting a password would secure the .pst, how stupid of me. 😕

As Nirsoft states, you can test it yourself: you can find the tool here.