Microsoft Outlook is one of the most popular email clients around, regularly ranking among the top clients. It’s only beaten by Apple’s integrated mail solution and Gmail for global email opens.
Most people use Outlook at some time in their lives. Given those millions of users, it is understandable that at some point, someone will forget their Outlook password. And in those moments, you need a tool that can retrieve the password while keeping your data intact.
Here are three tools to help with Outlook password recovery. But first, we need to understand the difference between PST and OST files and how they store and password-protect your mail in Outlook.
Differences Between Outlook PST and OST Files
The way Outlook stores, manage and secures your data depends on the type of account you are using.
There are two more vital differences between the two file types.
By and large, PST data files store vital information, such as passwords, to the local machine. This password locks unauthorized users out of the Outlook account, protecting emails and user data. The OST data file also uses local storage but doesn’t contain any passwords. As such, the PST file is open for password retrieval. (Do note that OST passwords aren’t much more secure.)
The second difference is a bug in Microsoft Outlook’s password protection that relates to password storage.
The Microsoft Outlook PST Password Protection Bug
When you enter a password on a website, the site (hopefully) doesn’t store it in plaintext. The plaintext is what you’re reading now, so you can see why storing a password in this form isn’t so wise. The website takes your password and creates a hash.
A hash is a long string of alphanumeric characters representing your password and is tied to your username. When you type your username and password combination, the database returns a positive response, and you enter your account. But if an attacker enters the database, all they see is a long list of confusing hash values.
Here’s the problem with Outlook: Instead of using a complex hashing algorithm (ideally with a salt), Microsoft appears to have cut some security corners using the basic CRC32 algorithm.
The bad news is that each CRC32 hash has a lot of matching values, meaning there’s a strong chance a password retrieval program will unlock your file. This is great if you need your PST file unlocked, but utterly terrible if you want to keep it secure.
This is where Outlook password recovery tools come in.
PST Tools for Outlook Password Recovery
There are several tools you can use to retrieve PST passwords and unlock your data file.
Nirsoft’s PstPassword is a great free utility that automatically retrieves PST passwords for local data files. PstPassword displays three potential passwords due to the encryption bug. If the first option fails, you have two more choices. (PstPassword generates a long list of CRC32 hashes that might unlock the data file.)
PstPassword doesn’t require installation, either. However, your system might detect it as a malicious file (as it is harvesting passwords, something that you don’t want at other times).
Kernel Outlook PST Password Recovery Tool is a limited free utility. The major limitation is the size of the PST file the tool will unlock. Kernel’s tool will unlock PST files up to 500MB for free. However, if your data file size surpasses that you will need to upgrade to the Home License for $39.
The tool quickly analyzes your PST files, providing a hash value for you to enter. Unlike PstPassword, Kernel only grants a single password hash to try. However, if that doesn’t work, Kernel also has the option to remove the password protection from the PST file (as well as add a new one if you desire).
Our final tool is Recovery Toolbox for Outlook Password. Recovery Toolbox costs $19 but comes with a few more options than either free option. For example, Recovery Toolbox can:
- Recover and show passwords for PST data files
- Reset PST data file passwords
- Recover and remove some passwords for OST data files
The major difference is support for OST files. The paid version of Recovery Toolbox shows and removes OST passwords, too, giving it a slight advantage. That said, other free online tools will uncover even the most secure Outlook OST data file passwords, too.
Testing the PST Password Protection Bug
You can check the password protection bug out for yourself using PstPassword.
Open Outlook and head to File > Account Settings > Data Files. Press Add to create a new data file, giving it a temporary name. Next, head to Settings > Change Password. Leaving the “Old password” field empty (as it is a new data file), enter a strong new password in the “New password” and “Verify password” fields. (In fact, I’m using a Secure Password Generator to create a super-strong 16-character password.)
You might note that despite the 16-character password, Outlook only accepts 15-characters. Regardless, press OK, close the panel, then close Outlook.
Download, then open PstPassword. It should automatically detect your newly created PST file, as well as any existing data files, too. Now, alongside your test file, there are three potential passwords. Because the password is over a certain amount of characters, PstPassword displays the hash values.
Open Outlook again and enter one of the hash values. If it doesn’t work, try the next one. In the event, the first three don’t work, right-click the test data file and select Get more passwords.
Mail PassView is another free password viewing and recovery tool from Nirsoft. Mail PassView uncovers OST data file passwords, rather than PST data files. However, as OST data file passwords are usually set via mail server rather than in Outlook itself, the tool cannot remove passwords or offer alternatives.
Still, Mail PassView is a useful free tool for recovering your Outlook password.
Outlook Password Recovery Complete!
One of these tools will grant you access to your Microsoft Outlook PST data file. Some Microsoft Office programs have strong integrated encryption. However, you have seen the Outlook password protection bug and how you can easily uncover a lost password.