Can open password protected .pst files with out supplying password.

[JaredTBBC]

I appreciate that this is not necessarily an issue for XstReader, as the implication is that .pst files are not encrypted and the password is only used to restrict opening in Outlook, bu please can you confirm that?

P.S. there was no other method of contacting you that I could find.

[Dijji]

Opening an issue is in fact the best way to contact me about one of my programs, so no worries there.

As to your question, the Outlook pst file specification describes how the password is held as a hash (MD5, from memory) as a property of the file. Its enforcement is described as being "the responsibility of the UI". I could have detected the presence of a password, demanded that one be supplied, hashed the entered string and compared it with the stored value. But being open source, this would have provided the merest figleaf of protection to anybody that knew what they were doing, given that the contents are never in any way encrypted, rather to my surprise. So I ignore any password that might be present.

Dijji

[JaredTBBC]

Thanks for clarifying and I agree with your rationale.
I am feeling slightly embarrassed as, for years, I had assumed the files were encrypted, but have discovered that they aren't - a bit like discovering you are only wearing a figleaf... I am now trying to work out the best method of protecting them - probably as an encrypted zip file to start with.

[Dijji]

I felt the same when I found out the awful truth. All those years I had been carefully setting passwords on pst files... File under 'things mother Microsoft never told you'.

Office does have support for sending and receiving encrypted emails as part of Office 365. However, I'm pretty sure this does not extend to pst files, because otherwise they would be legally obliged to document the file format, and it certainly is not there at the moment. They can do what they want in ost files, with no need to publish, so that's where they innovate (the 64-bit format being an example).

The only way I know of to really protect pst files is as you suggest, to encrypt the whole thing using zip. Most implementations will give you pretty good encryption algorithms.

Dijji

[esantose]

Does XstReader have any function that detects if the password is present in any of the PST properties?

[Dijji]

No. The location of the hashed password is well-known (there is only one per PST file), and XstReader could retrieve it, but currently does not.

[esantose]

Can I add such functionality to identify the correct password and get it from PST/OST? If so, any ideas?

[Dijji]

As described in the documentation, the CRC-32 hash of the password text is stored in the PidTagPstPassword property in the PC associated with NID_MESSAGE_STORE, so it is just a question of adding this property to the list of properties read at the store level.

However, since what is stored is a hash, the only API you can reasonably add would verify a clear text password, or perhaps better, a hash of a password.

What scenario do you have in mind that would make the addition of password support useful?

[esantose]

"Having a password bank is very useful because it can be used to open other documents." It would be very useful if "xstReader" includes the function of detecting and recovering the password or adding it automatically within the list of properties in a future release.
Anyway this app is very useful

[Dijji]

There is no way to retrieve the password itself, as only its hash is stored. So I'm not currently seeing in useful way to proceed with this.