Home Page

All the Graphics
Update Notes



Post Database

Recovering Lost Microsoft Office Passwords
By Thiravudh Khoman

In my previous life (corporate, not corporeal), I helped manage a local area network consisting of some 500+ PC's which used DOS-based Lotus 1-2-3 and Windows 3.1-based Microsoft Word and Excel for productivity applications. With such a large network, one where everyone saved their work to the LAN-based servers, it was necessary to insure the safety and sanctity of the files being stored.

Part of this was addressed by using RAID drive subsystems on the servers as well as implementing traditional backup routines. Another less obvious measure was to insure that the files were always readable. Given that all of the abovementioned programs are capable of password protecting their files, it was conceivable that a user could forget or mistype the password of an important file or a resigned staff could leave the company without informing us how to access his/her password protected files.

I've found, though, that most people tend not to password protect their files for a variety of reasons: a) they assume the network already has enough security to protect their files from prying eyes, b) they believe their work isn't critical or sensitive enough to be kept absolutely confidential, or c) they're too busy or aren't motivated enough to take the extra steps required.

Be that as it may, I felt it was in the company's best interest to obtain programs to recover the passwords for the applications we used. Such software would be held by me alone in order to prevent any unauthorized use. As it turns out, in the 5 years that I've had the software, I never had the occasion to use the programs even once, but it gave me peace of mind to know that I could in an emergency.


At that time, the only vendor that met our requirements was a company called AccessData (https://www.accessdata.com) which is based in Provo, Utah. AccessData sells a long line of password recovery programs including LTPass for Lotus 1-2-3, XLPass for Microsoft Excel, WDPass for Microsoft Word (figure 1), plus support for other programs such as Word Perfect, Microsoft Access, Paradox, Quattro Pro, etc. The current prices for each of these programs are US$170 for the first program and US$100 for subsequent programs. "Network access" programs which can replace administrative passwords on Windows NT and Novell Netware servers are also available but cost considerably more at US$495 apiece. (Note: The versions that I have are all DOS-based, but then they're also 5 years old.)

One major caveat about AccessData: they may or may not sell directly to Thailand. As there is no Thailand-based dealer, one may be forced to go through their nearest geographical dealer. Previously, this was in Australia. The result of buying from Australia then was that you were given the privilege of paying both Australian and Thai import taxes. Despite my protestations about this fact, AccessData wouldn't relent, and I ended up asking a friend in the U.S. to order it for me instead. At present, AccessData has a closer dealer in tax-free Singapore and who knows, they may even allow you to order direct from the U.S. now. As can be surmised from the above, there are no internet sales and no downloadable demos.


In a recent helpdesk, I noticed a reply by Post Database staff that said that password protected ZIP files were relatively easy to "crack". I was surprised and frankly a bit skeptical about this and decided to see if some company had indeed developed a tool to accomplish this. During my internet search, I came across a Russian company, Elcom (https://www.elcomsoft.com), which offered password recovery tools for Microsoft office, as well as for archivers using the ZIP and ARJ formats.

Unlike with AccessData, downloadable trial versions of Elcom's software are available for Windows 9x/NT machines, the file sizes being about 1mb each. These demos are limited in certain ways. For example, the demo versions of the Office 97 and ZIP recovery tools only handle passwords of 4 characters or less. If and when the programs are registered, entering a registration code will immediately activate the programs and remove the limitations. Registration can be accomplished over the internet via registration broker RegNow.


The million Baht question, of course, is how well do these programs perform? On a Windows 98 PC with a Pentium II-266 CPU and 48mb RAM, LTPass was able to crack a 10 character Lotus 1-2-3 password in about 2 minutes, XLPass was able to crack a 10 character Excel 95 password in 45 seconds, and WDPass was able to crack a 10 character Word 95 password in about 1 minute.

Elcom's Advanced Word 95 Password Recovery (AW95PR) was able to crack 7 and 10 character passwords in about 1 second. Its Advanced Excel 95 Password Recovery (AE95PR) performed about the same. One minor problem is that they sometimes cannot handle country-specific versions of Office 95. But this isn't a total dead-end since you can send Elcom your password protected files. Not only will they do a custom password recovery for you, but they'll also add country-specific support into their next release of the software.

For better or worse, Microsoft changed the way passwords are saved when it released Office 97. While Office 95 had a fairly simple encryption algorithm (as evidenced by AW95PR's ability to crack a word password so quickly), so far, Office 97 documents can only be cracked by "dictionary" attacks or "brute force" attempts.

Assuming that an Office 97 document uses a password which can be found in a dictionary file, it can be cracked fairly quickly (i.e. in a matter of minutes). If this fails, a brute force attempt - which works by trying all combinations and permutations of characters - is the only other alternative. As one might guess, brute force attempts are very slow when the passwords are longer than 4 characters.

Unfortunately, I don't own versions of WDPass or XLPass that can handle Word 97 and Excel 97 files, but I can comment on how Elcom's Advanced Office 97 Password Recovery (AO97PR version 1.00) (figure 2) tool works in this regard. It took AO97PR about 17 minutes to crack a Word 97 file with a 4 character password. 32 million passwords out of a theoretical total of 90 million passwords were actually checked. If all 90 million passwords were checked, it probably would have run for an hour. To check all combinations of a 5 character password, 6.8 billion passwords would need to be checked and take about 36 days. I won't even bother to mention how long a 6 character password would take.

Obviously, the latter numbers are beyond all reason even for a Pentium III-550, which should work faster but certainly not several orders of magnitude faster than my benchmark PC. One reason why there are so many passwords to check is that all types of characters (lower and upper case letters, numbers, and special symbols) are permutated. If one can reduce the number of character to check, then the combinations will drop drastically. However, when trying to crack a password from an unknown source, this may not be possible.

AO97PR also allows you to stop a password search, save where you quit to a file, and then continue at a later time. This feature also allows you to split the password search across several machines, by setting the starting point on each machine at a different point.

Although I mentioned not having the '97 versions of WDPass/XLPass, AccessData's website does claim that it can find an average of one character of a password per day. Thus, unlike AO97PR, a 5 character password should theoretically take only 5 days as opposed to 36 days, while a 10 character password would take 10 days as opposed to who knows how many years. I can't verify this, however.

Kinder, Gentler Passwords

While there are good reasons to create difficult-to-guess hybrid passwords for use in certain situations, there are fewer reasons to do so in other situations, especially when there is little chance of others being able to physically access your files. A case in point is on your home computer. Create and forget a 10 character password for your Office 97 file and you'll have to ask your children to post the recovered password on the urn holding your ashes.

Needless to say, Microsoft will not help you. While they know the algorithm used to encrypt the password, even they might not be able to reverse the process. And even if they could, they certainly wouldn't help you regardless of how dire your situation is. To do so would clearly compromise the security of their password system.

For home use, I would recommend the following. Create a set of long passwords and stick with those. I have three 10-12 character passwords that I use for "special" occasions. These aren't random characters, but rather are amalgams of words, which have special significance to me. As long as I'm free of debilitating mental diseases, I'll (probably) never forget these.

For more mundane stuff, create a set of three shorter passwords (say 5-6 characters each). These passwords should be related in some way to each other to assist you in remembering them. When you feel like a change or if you operate in an environment where you use a lot of passwords or are forced to change passwords often, cycle to the next password in that set. While your passwords will be re-used, you will also have enough of them to allow recycling. Of course, you can create more sets of passwords. But the point is, create them in sets.

Finally, if you want to leave a backdoor open for yourself so that a program like AO97PR can recover your password in the event of a crisis, don't use the full spectrum of characters in your password. As I mentioned above, if AO97PR knows that your password contains only lower case characters and numbers, it will operate much quicker than if it had to factor in another 60+ upper case characters and special symbols as well.

Bottom line: You're the best authority to decide what level of password protection you need.

Copyright © 1998-2000, Thiravudh Khoman