Microsoft Access — MDB and ACCDB Encryption

Jet 3 era — Access 95/97 (.mdb)

Microsoft Access 95 and 97 used the Jet 3.5 database engine. Database password protection in this era was a 14-byte XOR obfuscation against a known fixed pattern. Anyone with knowledge of the pattern could read the password directly from a specific offset in the file header.

This wasn't encryption — it was access-control UX. From a recovery perspective, .mdb files from this era are recoverable in milliseconds with any tool that knows the byte pattern. Open-source utilities (jet-mdb-tools, etc.) print the password directly without any 'cracking' involved.

Files from this era still appear occasionally in legacy enterprise archives, particularly small-business CRM and inventory systems that ran on Access from the 1990s.

Jet 4 era — Access 2000-2003 (.mdb)

Access 2000 introduced Jet 4 database engine with a stronger but still weak password scheme. The password was hashed and the result XORed with a small region of the file header. The hash function was a custom proprietary algorithm with significant biases.

Recovery for Jet 4 .mdb files is still very fast — academic research has shown the password can be recovered in seconds because the verification path leaks substantial information. Open-source tools (Office Password Recovery PRO, Elcomsoft Advanced Office Password Recovery, etc.) handle this format quickly.

Access 2002 and 2003 used the same scheme. Files in this category exist in many small-business document management systems that haven't migrated to the .accdb format.

Access 2007+ era — .accdb

Access 2007 introduced the .accdb format with the new ACE (Access Connectivity Engine) replacing Jet. Database encryption was rebuilt: AES-128 in CBC mode, with a 32-byte salt and SHA-1-based key derivation. This is genuine encryption — the database content is encrypted, not just protected by a verification flag.

Hashcat doesn't have a single dedicated mode for ACCDB; recovery typically uses custom tools that implement the ACCDB encryption format. The cipher is sound; recovery feasibility depends on password strength, similar to Office 2007+ documents.

Access 2010, 2013, 2016, 2019, 365 all use the .accdb format with the same AES-128 encryption baseline. Newer Access versions support AES-256 through advanced settings, but AES-128 remains the default.

How to identify which format you have

File extension is reliable: .mdb is Jet 3 or Jet 4; .accdb is Access 2007+ ACE. Within .mdb files, the first 4 bytes after the standard Jet signature differentiate Jet 3 from Jet 4.

Tools like libmdb, mdb-tools, or commercial Access utilities can identify the version without the password. The crucial distinction: .mdb → fast structural recovery; .accdb → real password search.

Recovery approach by format

For .mdb: structural recovery is the right approach. The password is recovered from the file header without a search. Free or low-cost tools handle this routinely.

For .accdb: cryptographic recovery is required. Same considerations as Office 2007+ password protection: feasibility depends on password complexity. We honestly assess based on what you remember about the password.

Why this matters for owners

Owners of legacy .mdb files often think they need expensive recovery services because they can't open the file. The honest answer: any decent tool recovers .mdb passwords for free in seconds. Charging for this would be wrong.

Owners of .accdb files face the same recovery curve as Office 2007+ documents — short or predictable passwords are recoverable; strong random passwords typically aren't. The free check phase reveals which side of the line your file is on.

Frequently Asked Questions

Related references