Microsoft Office 2024 — New Encryption Features for Password Protection

The default KDF change — SHA-512 becomes baseline

Through Office 2013-2021, the default key derivation function varied by configuration: SHA-1 (50,000 iterations) for mode 9400, SHA-1 (100,000) for mode 9500, and SHA-512 (100,000) for mode 9600. These three modes co-existed based on which encryption flags the creating application set.

Office 2024 standardises on SHA-512 with 200,000 iterations as the default. This doubles the KDF cost compared to Office 2016+ default (100,000 SHA-512 iterations). The increase is a direct response to GPU password-cracking speeds — modern GPUs test ~280,000 candidates per second on mode 9600; doubling the iteration count halves that to ~140,000 H/s.

The practical impact for recovery: an Office 2024 encrypted document takes approximately 2x longer to crack than an Office 2016-2021 document with the same password. For a password that exhausted in 10 days on mode 9600, the same password on Office 2024 would exhaust in 20 days.

Argon2ID — optional memory-hard KDF

Office 2024 introduces optional Argon2ID support for file-open password encryption. Argon2ID is the winner of the 2015 Password Hashing Competition (RFC 9106, 2021). It combines data-dependent memory accesses (Argon2i) with data-independent ones (Argon2d) to resist both GPU cracking and side-channel attacks.

When Argon2ID is enabled (configurable via Group Policy or a new Security Policy setting in Office), the KDF uses 64 MB memory per password attempt with 3 iterations (t=3, m=65536, p=4). This makes GPU-based parallelisation dramatically harder — memory-bandwidth becomes the bottleneck, not compute throughput.

Estimated hashcat speed for Office 2024 Argon2ID mode: <1,000 H/s on a high-end GPU. Compare to 280,000 H/s for mode 9600 (SHA-512 iteration). Argon2ID is approximately 280x slower per candidate, making brute-force attacks practically infeasible for any password of moderate strength.

Post-quantum ECC key exchange

Office 2024 enterprise editions add a post-quantum hybrid key exchange using Crystals-Kyber (ML-KEM, FIPS 203) + X25519 for Key Management Services and IRM-based restriction. This does not affect file-open password encryption directly — the password-derived key still protects the content — but it protects the key management channel.

When using IRM (Restrict Access) with Office 2024 and an RMS server running the quantum-safe update, the content key is wrapped in both a classical ECC key and a Kyber-512 key. The usage license requires both to unwrap. This protects against future QC attacks on the key-storage infrastructure.

For password-protected standalone files (no KMS/RMS), the post-quantum update does not apply. The file-open password encryption relies on the password's entropy, which is already quantum-resistant at AES-256 levels (Grover's algorithm reduces AES-256 to effective 128-bit security, which remains infeasible in any practical time frame).

New proof configuration format

Office 2024 introduces a new proof configuration binary format. The old Office 2013-2021 format stored encryption parameters in an XML fragment within the EncryptedPackage. Office 2024 uses a compact binary header tagged with a new major version identifier (EncryptionHeader.VersionMajor = 5 for Office 2024).

The new format includes: Argon2ID parameters (if enabled), iteration count (200,000 default SHA-512), salt (16 bytes, random), CSP name long-form, and the encrypted verifier hash (SHA-512). The format changes mean older hashcat modes (9400/9500/9600) cannot parse Office 2024 native files directly.

Hashcat has introduced preliminary support for Office 2024 in v6.3+ as modes 96100 (SHA-512 KDF) and 96200 (Argon2ID KDF). Recovery services should verify compatibility with their hashcat installation before processing Office 2024 files.

Password recovery implications

Office 2024 files using the default SHA-512 KDF (mode 96100, ~140,000 H/s on RTX 5090) are recoverable for human-chosen passwords but at roughly half the speed of Office 2016-2021 files. The same dictionary+rule attack that exhausts in 28 hours on mode 9600 takes ~56 hours on mode 96100.

Office 2024 files using Argon2ID KDF (mode 96200, <1,000 H/s) are practically unrecoverable for any password of 8+ characters. A 6-character lowercase password (26^6 = 308 million) would take ~308M / 1,000 = 308,000 seconds = 3.6 days — feasible but expensive. An 8-character alphanumeric password would take ~2.2T / 1,000 = 70 years — infeasible.

The practical consequence: users who enable Argon2ID in Office 2024 should be very confident they will not forget their password. Recovery services will be unable to help with anything beyond short, simple passwords. Argon2ID protection is effectively permanent for most practical password strengths.

Enterprise policy controls

Office 2024 encryption features are configurable via Group Policy and the Office Cloud Policy Service. IT administrators can: force SHA-512 KDF with configurable iteration count (100K-500K), enable Argon2ID with configurable memory parameter (16-256 MB), set minimum password length (8-20 characters), and log encryption-parameter usage per user.

For enterprise deployments, the recommended configuration: Argon2ID with 64 MB memory for documents classified as 'Confidential' or higher, SHA-512 with 200K iterations for 'Internal' documents, and no encryption enforcement for 'Public'. This balances security against recovery risk.

The enterprise key recovery (EKR) feature introduced in Office 2024 allows IT administrators to escrow a key-recovery token when Argon2ID is enabled. The escrow key is stored in Azure Key Vault or on-premises HSM, and can be used by authorized administrators to decrypt documents without the user's password. This is the only reliable recovery path for Argon2ID-encrypted files in an enterprise context.

Migration and compatibility

Office 2024 files saved with the new default encryption (SHA-512, 200K iterations) can be opened in Office 2024 and Office 2021 with a compatibility update (KBxxxxx). Older Office versions (2016, 2019) cannot open them — they lack the new proof configuration parser.

Files created in older Office versions retain their original encryption when opened and saved in Office 2024 — Office 2024 does NOT automatically upgrade encryption on existing files. Only new files or files explicitly re-saved with 'Encrypt with Password' use the new defaults.

To maximize compatibility for file sharing: set encryption to use mode 9600 (SHA-512, 100K iterations) via Group Policy or by saving as 'Office 2016-2021 compatible' format. This allows any Office 2016+ recipient to open the file without issues.

Handling Office 2024 encrypted files

1. 1

   Check Office version and encryption mode

   Determine if the file was created in Office 2024 by checking the EncryptionHeader.VersionMajor field.

2. 2

   Identify KDF type

   SHA-512 (mode 96100) or Argon2ID (mode 96200). This determines recovery feasibility.

3. 3

   For SHA-512 KDF files

   Recovery via hashcat mode 96100 — approximately 2x slower than Office 2016+ mode 9600. Still feasible for human-chosen passwords.

4. 4

   For Argon2ID files

   Only feasible for very short/simple passwords (<8 chars dictionary words). For strong passwords, check if enterprise key recovery (EKR) is available.

5. 5

   Check for escrowed keys (enterprise)

   If IT enabled enterprise key recovery, the document can be decrypted by authorized administrators without the password.

Frequently Asked Questions

Related Reading