Ottawa PC Users' Group, Inc.
Office Password Recovery Professional v3.03
by Chris Taylor
you ever password protected a document and felt a cold
chill at the thought that you might forget your password?
Have you ever actually forgotten a password on a document
and had to reconstruct it by hand? Do you support other
computer users who forget the passwords on their
If so, you might want to take a look at ElcomSofts
Advanced Office Password Recovery (AOPR). There are three
versions. I took a look at the one that can deal with the
most file types the Professional version.
AOPR Pro can crack the passwords in just about every
Microsoft Office document type; Word, Excel, PowerPoint,
Access, Outlook, OneNote, Visio, Publisher, Project,
Money, MS Backup, Schedule+, MS Mail, and the content
advisor in Internet Explorer.
But how easily can it crack passwords? Well, that
Aside: that depends is the correct answer
to any computer-related question.
I had a PowerPoint file Microsoft posted for one of their
web-based seminars. There was nothing particularly secret
about the document, of course. But they had put a
password on the ability to modify the file. I was sort of
shocked when AOPR Pro found the nine-character,
lower-case alphabetic password in less than a second.
Then I tried an Access 2000 database file. I had chosen
the password for this file and had given it some degree
of complexity ten characters, with upper- and
lower-case alphabetics and numerics. Pretty good, I
thought. Well, AOPR Pro cracked that in less than a
I was starting to wonder
So I fired up Word 2003 and created a small amount of
text. I clicked on Tools | Options | Security
and entered a password of ThePasswrd4Open to
open the file. I saved the file and verified that Word
would not allow me to open the file unless I entered the
When AOPR Pro tried to crack the password, it chugged
away at the file for a couple of minutes and finally
reported the File Opening Password for this file
cannot be recovered instantly. Ah, this seemed a
little more reasonable.
I tried my ten-character, upper- and lower-case, plus
numerics password (that I had used for the Access
database) on the Word 2003 document. AOPR found it in
less than a second. However, it reported that it found
the password in its password cache. Aha! Lesson one
if a person password-protects more than one
document, there is a good chance they will use the same
password for all documents. Easier to remember,
but if someone cracks your password in one document, they
have access to all your documents! When I cleared the
cache, AOPR Pro reported that the password could not be
Lesson two not all password-protection schemes are
created equally. I dont know the encryption scheme
that was used to protect the Access 2000 database, but it
was obviously way less effective than the default for
Word 2003. In delving into the options available under
Word 2003, I found that there are actually ten different
options for encryption, such as Office 97/2000
Compatible and RC4, Microsoft Base Cryptographic
The AOPR Pro help file was most informative on different
Microsoft document encryption schemes. Remember the
instantly-found modify password on the PowerPoint file
from Microsoft? Well, the AOPR Pro help file says that,
while the Password to Open is a Strong Password and
can be recovered only by Brute-Force or Dictionary
Attack, the Password to Modify can be recovered instantly.
I go back to lesson two even within a single
document, encryption schemes to protect different
capabilities such as open vs. modify may be of wildly
OK, so lets assume we go with a strong encryption
scheme. How safe are your documents? Well, that
AOPR Pro has the ability to do dictionary attacks with
good speed. It ships with a dictionary file of almost a
quarter million words. So, if you use alexandrianism,
asdfghjk, qazwsx, qwerty or untranslatableness
as your password, AOPR Pro will crack it in less than 2
minutes even if you use the encryption scheme RC4,
Microsoft Enhanced DSS and Diffie-Hellman Cryptographic
Provider, whatever that is!
AOPR Pro uses plain text files for dictionaries, and
there are lots of these files available on the Internet.
Besides lots of normal dictionaries, you can
find specialised dictionary files of hacker lingo,
medical jargon, etc.
So if we eliminate weak encryption schemes and weak
passwords, are we stuck? Well, that depends
AOPR Pro can brute force any password, as long as you
have enough time. On my desktop a 2.4 GHz Pentium
4 AOPR Pro can check over 400,000 passwords per
second. If we assume that people are going to use any
printable characters (upper- and lower-case alphabet,
numerics, and symbols) for their password, that comes to
95 characters. If we look at the possible permutations
for passwords and how long it takes at 400,000 passwords
per second, we get;
1 character 95 (instantly)
2 characters 9,025 (instantly)
3 characters 857,375 (2 seconds)
4 characters 81,450,625 (3 minutes)
5 characters 7,737,809,375 (5 hours 20 minutes)
6 characters 735,091,890,625 (25 days)
We can see that a 6-character password that is not in any
dictionary file, with a strong encryption scheme, is not
practical to consider cracking on my computer, right?
Well that depends
AOPR has the ability to customise a brute force attack.
For example, if you know the password does not contain
numerics, you can eliminate them. Or, if you know the
password contains certain characters, you can use a mask
to shorten the permutations that must be tried. You can
even enter a custom character set to be checked.
Using brute force to recover a password
if you have no clue about the password at all, a long,
complex password, and a strong encryption scheme was
used, it is not practical to crack the password, right?
As the saying goes, that depends
Recently, a flaw in the way Microsoft implemented their
encryption was discovered, even when using a strong
algorithm such as RC4. If two versions of the encrypted
document are available (a not uncommon scenario), the
password can be recovered very quickly.
Properly securing a document through encryption is not a
simple task. Weak passwords are frequently used and
vendors often use weak or flawed encryption schemes. In
most cases, if someone forgets their password, a tool
such as AOPR can recover the password in short order.
I found the help file for AOPR Pro to be very interesting
reading. There is lots of information about the
encryption schemes used by Microsoft applications as well
as general information about encryption. Elcomsoft has
even put their help file up as web page at http://www.elcomsoft.com/help/aopr/index.html.
While I tested the Professional edition of AOPR, there
are also Home and Standard editions that can deal with
fewer file types. For details of the capabilities of each
version see http://www.elcomsoft.com/aopr.html.
ElcomSoft also has programs to recover passwords from
many different file types such as archives, WordPerfect,
Adobe Reader, and more. For details, see http://www.elcomsoft.com/prs.html.
CPU: Pentium or better
OS: Windows 95 or better
Disk space: 4MB
Office Password Recovery Professional v3.03
AOPR pricing (Canadian dollars at the ElcomSoft web
Home Edition $62.00
Standard Edition $125.00
Professional Edition $252.00
Web site: http://www.elcomsoft.com/aopr.html
Copyright and Usage
Ottawa Personal Computer Users Group (OPCUG), Inc.
3 Thatcher Street, Ottawa, ON K2G 1S6
opinions expressed in these reviews may not necessarily
represent the views of the OPCUG or its members.