Strengthened KDF

Office 2010 AES-128 — Hashcat Mode 9500

TL;DR — Office 2010 kept the AES-128 cipher from 2007 but doubled the SHA-1 KDF iteration count from 50,000 to 100,000. The change makes per-password GPU verification roughly 2x slower, increasing real-world recovery wall-clock time without changing the fundamental feasibility curve.

Office 2010's incremental upgrade

Microsoft Office 2010 (released 2010) made a focused change to password protection: the SHA-1 hash chain in the key-derivation function went from 50,000 iterations to 100,000. Cipher remained AES-128 in CBC mode. File format remained OOXML inside an OLE2 container. The Standard Encryption scheme as a whole was unchanged structurally.

The doubled iteration count was a direct response to the rapid growth in commodity GPU performance during 2007-2010. Microsoft increased the per-password computational cost to keep pace with attacker hardware capability — a standard pattern in password-storage design.

Office 2010 also introduced 'Agile Encryption' as a more flexible alternative (XML-driven KDF and cipher choices), but Standard Encryption with the new 100,000-iteration count was the default. That default produces files mapped to Hashcat mode 9500.

Same OOXML/OLE2 container as Office 2007
Same AES-128 cipher
KDF iteration count: 100,000 (up from 50,000)
Hash function in KDF: SHA-1
Default for Office 2010 password-protected files

Practical implications of doubled iterations

On the same hardware, mode 9500 verifies passwords roughly half as fast as mode 9400. A GPU that tests 4 million candidates per second against mode 9400 tests about 2 million per second against mode 9500. This linearly extends wall-clock recovery time for the same effective search space.

For typical human-chosen passwords (8-10 characters, mixed case, year/word patterns), this is a meaningful but not transformative slowdown. For 12+ character random passwords, the slowdown is irrelevant because the search space is already infeasible. Most of the practical recovery curve shifts modestly to the right.

From an owner's perspective, mode 9500 doesn't change the qualitative answer — 'my password is recoverable' or 'my password is too strong' — only the quantitative answer about how long the recovery takes if it succeeds.

Office 2007 vs 2010 detection

From file extension alone, you can't tell — both versions produce .docx, .xlsx, .pptx files. The difference is in the EncryptionInfo stream, where the kdfIterations value is either 50000 (Office 2007 default, mode 9400) or 100000 (Office 2010 default, mode 9500).

Tools like office2john or msoffice-crypt extract this metadata and produce a hash string that begins with `$office$*2010*` for mode 9500. Browser-based analysers can identify the mode without uploading the file content elsewhere.

Why Microsoft kept the SHA-1 hash function

By 2010, SHA-1 was already showing weakness for collision-based attacks (the SHAttered collision was demonstrated in 2017 but was anticipated years earlier). Microsoft's choice to keep SHA-1 was driven by KDF requirements: the security property needed is one-way preimage resistance, not collision resistance. SHA-1 still provides preimage resistance.

By Office 2013, Microsoft moved to SHA-512 in the KDF (mode 9600), addressing both the iterations-count question and the long-term hash strength question simultaneously. Mode 9500 remains a transitional generation that's still common in archives.

Files commonly in this generation

Office 2010 was deployed widely in enterprise environments through 2014-2015. Government, financial, and healthcare organisations often produced documents in this version because of long Office support cycles. Files from 2010-2015 that are .docx, .xlsx, or .pptx are commonly mode 9500.

Modern Office (2019, 2021, Microsoft 365) defaults to AES-256 with stronger KDFs (mode 9600), so freshly encrypted files in 2026 are typically not in this category. But archived files from the 2010-2015 window remain plentiful — particularly in document management systems that preserve original encryption indefinitely.

Recovery questions for owners

Same questions as mode 9400: do you remember the password's general shape (length, character classes, likely word/year)? Was it a personal password (recoverable) or a manager-generated random one (typically not)? How important is the document?

We don't publish specific recovery percentages. We will tell you what we found in the free check before any paid attempt, so you have real data to base a decision on.

Frequently Asked Questions

How much slower is mode 9500 than mode 9400?

Roughly 2x slower per-password attempt, because the SHA-1 KDF iterates 100,000 times instead of 50,000. Same hardware, half the throughput.

Can I downgrade my .xlsx to mode 9400 to make it 'easier' to recover?

No. The encryption is fixed in the file when it was created. You cannot change the encryption scheme without first decrypting the file (which requires the password).

Is SHA-1 weakness a concern for Office 2010 files?

No, not for password-recovery purposes. The KDF needs preimage resistance, which SHA-1 still provides. SHA-1's weakness is in collision attacks, which don't apply here.

Will the recovered file work in Office 365 / Microsoft 365?

Yes. Modern Office reads all OOXML formats with any encryption scheme. The recovered (unlocked) file works identically.

Why didn't Microsoft move to PBKDF2 or Argon2?

Backward compatibility. Office files need to open in older versions of Office, so the KDF must be implementable in pre-2010 software. PBKDF2/Argon2 weren't widely supported in the Office 2003 codebase.

What's the difference between Standard and Agile encryption?

Standard uses fixed AES-128 + SHA-1 + iteration count. Agile uses XML metadata to specify cipher, KDF, and iteration count flexibly. Agile allows AES-256 with SHA-512 (Office 2013+ default), which becomes mode 9600 territory.

Are there enterprise rights management (IRM) implications?

IRM-protected files use Azure Information Protection or AD RMS — that's a different protection layer outside the password scheme. IRM recovery requires the original AD/AAD environment, not password attack.

Related references

m9400Modern AES baseline m9600Current Office default m9700Effectively guaranteed

Have a file in this category?

Start with a free analysis. The encryption type is detected in your browser, then a free check runs through fast techniques before any paid attempt. You only pay if a recovery actually works.

Run a free Office analysis