Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Can open password protected .pst files with out supplying password. #25

Open
JaredTBBC opened this issue Jun 8, 2020 · 9 comments
Open

Comments

@JaredTBBC
Copy link

I appreciate that this is not necessarily an issue for XstReader, as the implication is that .pst files are not encrypted and the password is only used to restrict opening in Outlook, bu please can you confirm that?

P.S. there was no other method of contacting you that I could find.

@Dijji
Copy link
Owner

Dijji commented Jun 8, 2020

Opening an issue is in fact the best way to contact me about one of my programs, so no worries there.

As to your question, the Outlook pst file specification describes how the password is held as a hash (MD5, from memory) as a property of the file. Its enforcement is described as being "the responsibility of the UI". I could have detected the presence of a password, demanded that one be supplied, hashed the entered string and compared it with the stored value. But being open source, this would have provided the merest figleaf of protection to anybody that knew what they were doing, given that the contents are never in any way encrypted, rather to my surprise. So I ignore any password that might be present.

Dijji

@JaredTBBC
Copy link
Author

Thanks for clarifying and I agree with your rationale.
I am feeling slightly embarrassed as, for years, I had assumed the files were encrypted, but have discovered that they aren't - a bit like discovering you are only wearing a figleaf... I am now trying to work out the best method of protecting them - probably as an encrypted zip file to start with.

@Dijji
Copy link
Owner

Dijji commented Jun 8, 2020

I felt the same when I found out the awful truth. All those years I had been carefully setting passwords on pst files... File under 'things mother Microsoft never told you'.

Office does have support for sending and receiving encrypted emails as part of Office 365. However, I'm pretty sure this does not extend to pst files, because otherwise they would be legally obliged to document the file format, and it certainly is not there at the moment. They can do what they want in ost files, with no need to publish, so that's where they innovate (the 64-bit format being an example).

The only way I know of to really protect pst files is as you suggest, to encrypt the whole thing using zip. Most implementations will give you pretty good encryption algorithms.

Dijji

@esantose
Copy link

Does XstReader have any function that detects if the password is present in any of the PST properties?

@Dijji
Copy link
Owner

Dijji commented Nov 30, 2020

No. The location of the hashed password is well-known (there is only one per PST file), and XstReader could retrieve it, but currently does not.

@esantose
Copy link

esantose commented Dec 1, 2020

Can I add such functionality to identify the correct password and get it from PST/OST? If so, any ideas?

@Dijji
Copy link
Owner

Dijji commented Dec 1, 2020

As described in the documentation, the CRC-32 hash of the password text is stored in the PidTagPstPassword property in the PC associated with NID_MESSAGE_STORE, so it is just a question of adding this property to the list of properties read at the store level.

However, since what is stored is a hash, the only API you can reasonably add would verify a clear text password, or perhaps better, a hash of a password.

What scenario do you have in mind that would make the addition of password support useful?

@esantose
Copy link

esantose commented Dec 1, 2020

"Having a password bank is very useful because it can be used to open other documents." It would be very useful if "xstReader" includes the function of detecting and recovering the password or adding it automatically within the list of properties in a future release.
Anyway this app is very useful

@Dijji
Copy link
Owner

Dijji commented Dec 2, 2020

There is no way to retrieve the password itself, as only its hash is stored. So I'm not currently seeing in useful way to proceed with this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants