Problem solve Get help with specific problems with your technologies, process and projects.

Recover lost Microsoft Outlook .PST passwords

If you've forgotten or misplaced the password to a Microsoft Outlook personal store (.PST), you can use the freeware utility PstPassword to reverse engineer the .PST file and open it.

Microsoft Outlook 97 through Outlook 2003 support password-protected personal stores (.PST files). Like all passwords, .PST passwords can be forgotten or misplaced.

When that happens, there are usually only a few options:

  • Call a data recovery service
  • Restore the file from a recent backup (provided it, too, isn't protected)
  • Start guessing

The password protection on Microsoft Outlook .PST files is actually not very strong to begin with -- it's akin to the old-school password protection on Microsoft Word documents, which can also be cracked without too much difficulty. This is reason alone not to depend on .PST passwords to protect and secure your email data.

However, if you're in a situation where you need to recover a password-locked .PST file and don't have the budget for data recovery, there is a freeware third-party tool that can reverse-engineer the password(s) for a given .PST file and let you open it: Nir Sofer's PstPassword utility.

The program is simple. Open it and it'll scan the locally logged on user's Microsoft Outlook profile directory -- Documents and Settings\<user_name> \Local Settings\ Application Data\Microsoft\Outlook -- for .PST files. Each file found will be listed in PstPassword's main window, along with up to three possible passwords to open it if it's password-protected.

More than one password may work on a given .PST file, according to Sofer, because of a problem with the way .PST password protection is implemented. The .PST password is not stored in the .PST file. Instead, a 32-bit CRC hash is created from the password, from which it's possible to reverse-engineer a number of different passwords that have the exact same 32-bit CRC hash.

Worse, there's a .PST password bug that makes it possible to create a password that produces a CRC hash of zero. Sofer provides a list of the .PST passwords that generate a zero CRC value in Outlook on his Web site.

Note: I cannot and do not endorse the use of this tool for anything other than legitimate use. If you use .PST files in your organization on local machines, make sure you have other security measures in place, such as an appropriate Group Policy, to prevent users from installing applications or copying files to another system.

About the author: Serdar Yegulalp is editor of the Windows Power Users Newsletter.

Do you have comments on this tip? Let us know.

Related information from

  • Expert Advice: Disabling the use of .PST files in Outlook 2003
  • A primer on Exchange Server .PST files
  • The Microsoft Outlook Toolbox
  • Our experts' favorite freeware
  • Reference Center: .PST administration tips and resources

    Please let others know how useful this tip was via the rating scale below. Do you have a useful Exchange Server or Microsoft Outlook tip, timesaver or workaround to share? Submit it to If we publish it, we'll send you a nifty thank-you gift.

  • This was last published in July 2006

    Dig Deeper on Exchange Server setup and troubleshooting

    Join the conversation


    Send me notifications when other members comment.

    Please create a username to comment.

    Protects files and documents against crackling reverse engineering or don't open documents from unknown sources will help
    Yes, PSTPassword works. Or at least works well enough to let me extract a list of passwords that I could use to try, fail, try, fail, try, BINGO to open the file. Then again, there's a cracker to get into almost any locked file anywhere. But that's somewhat beside the point.

    This isn't Day One of computing. And MS isn't the new kid on the block. So why are we still diddling with a password protection scheme that was minimal when it was introduced back in the days of DOS.

    Our information is incredibly vulnerable and if we can get into it without our super-secure password, so can anyone else. We don't need better crackers, we need better encryption.
    I believe Elcomsoft has a tool that can help with this as well:
    I guess it's a little naive to be so surprised at how easy it is to crack something like email. It makes you wonder how many places still have information available through these older systems that are so easy to crack...
    Scary, indeed, CarolBrands. This is why we have to look out for ourselves - and our companies - when it comes to sensitive information.