Bug in Outlook PST password protection

When working on MS-Outlook with POP3 or IMAP accounts, all received and sent emails are saved in a Personal Folders (.pst) file. Microsoft allow the user to set a password on a .pst file, in order to protect the content of the emails, and prevent from accessing them by other users.
although commercial software that crack the password of pst files exist for years, many users don't know that password protection of pst files is very weak and can be cracked very easily, and may thing that their private emails are protected from viewing by other users.
In the following article, I'll give a small explanation about how the password is saved in the pst file, as well as I'll demonstrate a funny bug with pst passwords.

How the password is saved in the pst file ?

In fact... The password is not really saved in the pst file. Instead of saving the real password, Outlook creates a 32-bit hash value that represents the original password. The algorithm that is used to generate this number is just a CRC32 algorithm with a little modification. CRC32 is mostly used to verify data integrity, but from unknown reason, Microsoft decided to use it for password protection instead of using a strong hashing algorithm, like MD5 or SHA-1.
The bad thing about using a CRC32 algorithm for saving a password is the fact that for each 32-bit number, there are a lots matching passwords, which mean that if you set a password on your pst file, you can also open it with many other passwords that match the same CRC value.
For example, if you set the password '1234' to your pst file, you can also open it with the following passwords: 'yZdHpA', 'hkNkwC', 'YUWqKD', 'FkbbpH', 'WZHAwJ', and much more...
Don't believe it ? Just try it, and you'll find out that it's true !

The null password bug

Outlook uses the 32-bit value that I mention above to determine whether to ask the user to type a password. If this value is other than zero, the user must type a password that matches the same CRC value in order to open the pst file. If this value is equal to zero, the user is allowed to open the pst file without typing any password.
But... What happens if you set a password to the pst file that matches to a zero CRC value ? This is exactly the bug that I'm talking about !!
If you set a password to the pst file that matches to a zero CRC value, Outlook will accept your password without complaints, but in the next time that you try to open the pst file, you won't need to type any password !

The following list contain passwords that generate a zero CRC value in Outlook, and thus if set one of these passwords to your pst file, Outlook won't ask you to type a password in the next time that you access the pst file:

  • eyzVS1
  • tHPuT3
  • 5J8j84
  • EvIoh4
  • TGcLo6
  • JeX2N7
  • 1Rj78C
  • nr9VuE
  • CNQp0J
  • pLMtUP
  • O0fc8Q
  • NaE3OT
  • ArTniW
  • z7s4mm
  • YUfCxp
  • yZUzCu
  • 5kfzQx
The above passwords list was generated by using my new pst password generator. This password generator is a part of my new pst cracker utility that was released during June 2006 - PstPassword.

Steps to reproduce the bug in Outlook 2003

  1. From the menu, select Tools -> E-mail Accounts
  2. Select 'View or change existing e-mail accounts', and click Next.
  3. Click 'New Outlook Data File'.
  4. Select the type of storage, and then select a new pst filename.
  5. In the pst creation dialog-box, type one of the passwords from the above "bad" passwords list. Don't check the "Save this password is your password list" option.
  6. Click 'OK' and then 'Finish'.
  7. Try to access the newly created 'Personal Folders'. At this stage, Outlook should ask you to type a password, but if you used one of the password from my list, Outlook will allow you to access the pst without a password. This is the bug !!