How to decrypt word document password

Accessing the content of password-protected and encrypted documents saved as DOC/XLS files (as opposed to the newer DOCX/XLSX files) is often possible without time-consuming attacks regardless of the length of the password. Advanced Office Password Recovery enables experts quickly breaking the encryption of password-protected DOC and XLS files, which are Microsoft Word and Excel documents saved by modern versions of the app in the “compatibility” format. Organizations are still using the “compatible” Office 97/2000 formats for their document workflow.

Advanced Office Password Recovery can quickly remove protection and decrypt documents saved in the following formats:

• Microsoft Office 97 and 2000: these versions of Microsoft Office use 40-bit encryption exclusively
• Microsoft Office XP and 2003: 40-bit encryption is used by default; adds optional CSP support
• Newer versions of Microsoft Office: documents saved as “Word 97-2003 .doc” or “Excel 97-2003 .xls” still using 40-bit encryption

Why does it work that way, what is the difference in encryption between the “compatible” and modern formats, and how exactly can you remove protection from DOC and XLS files? Read along to find out.

Microsoft Office: legacy encryption in “compatible” formats

For compatibility reasons, Microsoft Office apps are still using legacy encryption when a document is saved as a .DOC instead of a .DOCX. You can read more about it in our previous article Microsoft Office 40-bit Encryption and Thunder Tables in Advanced Office Password Recovery.

Microsoft Office 97 was once released with deliberately weak encryption due to US export restrictions. That encryption scheme was carried over to Microsoft Office 2000 unchanged, even though by the time the export restrictions ceased to exist. The native US versions of Microsoft Office could be configured to use stronger encryption, yet the setting was rarely enabled because of valid compatibility concerns – the same concerns that are driving many organizations today to keep using the “compatible” DOC/XLS formats for their document workflow.

Technically speaking, the “compatible” formats are using the RC4 cipher for encryption and MD5 for hashing. A weak 40-bit encryption key and a single iteration of MD5 hashing are used to protect information. Even twenty years ago, 40-bit encryption was considered weak enough to be cracked in reasonable time. Today, several hours of brute forcing is all that is needed to break 40-bit encryption on an average consumer-grade CPU; much less if you use a video card.

The newer DOCX/XLSX files are with a much stronger AES encryption. 256-bit encryption keys require attacking the original plain-text passwords in order to decrypt the content, while the large number of iterations (hash rounds) makes such attacks deliberately slow. In other words, while the older formats have known vulnerabilities allowing for near-instant recovery of encrypted content, the newer DOCX/XLSX files must be attacked with Elcomsoft Distributed Password Recovery to recover the original password. The original password is then used to decrypt the content of the DOCX/XLSX file.

In other words, Advanced Office Password Recovery today can decrypt a password-protected Word .doc documents or an Excel .xls spreadsheet saved as “compatible” within a guaranteed, limited timeframe. The exact time needed for the attack will depend on your CPU power and will NOT depend on the length and complexity of the user’s password.

Please not: the hashes are salted. This means that the different documents protected with the same password are encrypted with different encryption keys. Because of this, you must run individual attacks on these documents – even if they share the same password.

However, brute forcing is not even needed to break 40-bit encryption if you use Thunder Tables, a feature available in the Forensic edition of Advanced Office Password Recovery.

Thunder Tables

In the past, enumerating the entire set of 40-bit encryption keys would take several days on an average computer. To cut this time, we fully refactored all possible 40-bit keys to build Elcomsoft Thunder Tables ™, an extension of the Rainbow Tables attack. Using Thunder Tables, you can break all compatible Word documents and about 97% of compatible Excel spreadsheets in just seconds instead of hours. The Thunder Tables are available in the Forensic edition of Advanced Office Password Recovery. You can read more about the Thunder Tables in Thunder Tables™ Explained | ElcomSoft blog.

In the past, users would have to obtain Thunder Tables separately by either copying them from the supplied DVD or flash drive or manually downloading them from our Web site. This is no longer the case: Thunder Tables will be downloaded automatically when you need them. Advanced Office Password Recovery automatically detects the document format and the type of protection and suggests downloading Thunder Tables if the document uses 40-bit encryption. Thunder Tables are exclusive to the Forensic edition; Home edition users still have an option to brute-force all available 40-bit keys, which is plenty fast on modern CPUs.

Thunder Tables take a lot of space on your computer; they occupy several gigabytes of disk space. By default, the tables will be stored in %APPDATA%\Elcomsoft Password Recovery\Thunder Tables. If your system drive does not have the amount of free space required, or if you don’t want to store something as large as Thunder Tables on your boot drive, consider specifying a different path. You can do that by editing the following Registry key:

Computer\HKEY_CURRENT_USER\SOFTWARE\Elcomsoft\Advanced Office Password Recovery\TTPath

Please note that Thunder tables should be stored on an SSD drive or USB flash drive due to the large amount of random access operations.

It is important to note that the actual password is not needed to decrypt documents as the tool attacks the binary encryption key instead. If, for any reason, you absolutely must recover the password, you can run a GPU-assisted attack that offers speeds in the order of tens of millions password combinations per second.

Breaking 40-bit encryption step by step

To break a document protected with 40-bit encryption, do the following.

1. Launch Advanced Office Password Recovery.
2. Open the document you are about to recover. The tool will automatically detect the type of protection. In the case of 40-bit encryption, the following message will be displayed:
   
3. If you already have Thunder tables on your computer, the key search will begin immediately. Otherwise, the tool will suggest downloading Thunder tables. Depending on your connection speed, this may take some time; the size of Thunder tables is in the range of several gigabytes.
   
4. Please note that Thunder tables require several gigabytes of free disk space. If your system disk does not have the required amount of free space, edit the following registry key and restart Advanced Office Password Recovery:
   Computer\HKEY_CURRENT_USER\SOFTWARE\Elcomsoft\Advanced Office Password Recovery\TTPath
5. Once Thunder tables are downloaded to your computer, the key search will be performed automatically.
   
6. With Thunder tables, the recovery of a Word document is 100% guaranteed, and only takes several seconds (up to several minutes). For Excel spreadsheets, success rate is 97%. If the key is not found, continue to the next step, and repeat the key search without using the Thunder tables.
7. If you skip the download (or if Thunder tables cannot locate the key for a given .xls file), the key search will commence without Thunder tables. The search may take from several minutes to several hours.
   
8. Once the key is found, the document will be decrypted using the discovered encryption key. The password will not be discovered and is not required to decrypt the document.