Office 2013-2026 AES-128 SHA-512 — Hashcat Mode 9600

Agile Encryption explained

Office 2013 made Agile Encryption the default (Office 2010 had it as an option). Agile uses an XML-described KeyEncryptor inside the EncryptionInfo stream. The XML specifies: hash function, hash size, key size, iteration count, salt, and cipher chaining mode.

The Office 2013 default values are: hashAlgorithm=SHA512, hashSize=64, keyBits=128, spinCount=100000, blockSize=16, cipherAlgorithm=AES, cipherChaining=ChainingModeCBC. This is what Hashcat mode 9600 targets.

Microsoft Office 2016, 2019, 2021, and Microsoft 365 (subscription) all use the same defaults — so any password-protected .docx/.xlsx/.pptx file from 2013 onwards is most likely mode 9600 unless the user explicitly chose different settings.

• Encryption scheme: Agile
• Cipher: AES-128 in CBC mode (not AES-256 by default)
• Hash function in KDF: SHA-512
• KDF iteration count: 100,000
• Default in Office 2013 through Microsoft 365

Why SHA-512 makes mode 9600 harder than mode 9500

SHA-512 is computationally more expensive than SHA-1 on most hardware: it processes 1024-bit blocks instead of 512-bit, uses 64-bit operations, and has 80 rounds vs SHA-1's 80 rounds with simpler operations. On commodity GPUs, SHA-512 throughput is roughly 30-50% of SHA-1 throughput per cycle.

Combined with the same 100,000 iteration count as mode 9500, this means mode 9600 verifies passwords about 2-3x slower than mode 9500 on identical hardware. Recovery wall-clock time for the same search space scales linearly with this slowdown.

For a typical 8-10 character human-chosen password, the difference might mean recovery takes hours instead of an hour. For a strong random 14-character password, it's irrelevant — the search space is already infeasible regardless of KDF cost.

Why Microsoft kept AES-128 instead of moving to AES-256

Office 2013 supports AES-256 through Agile Encryption, but the default remained AES-128. The reasoning: AES-128 is already secure beyond any feasible brute force, and AES-128 is faster than AES-256 in hardware (10 rounds vs 14 rounds), keeping legitimate file open times responsive.

Users can manually configure AES-256 via Group Policy or by saving with custom encryption settings. In practice, almost no one does this — the default is what virtually everyone uses. So mode 9600 with AES-128 covers the vast majority of modern Office password-protected files.

Identifying mode 9600 files

Same OOXML container as 9400/9500. The EncryptionInfo XML inside the OLE2 wrapper specifies the agile encryption parameters. Tools like office2john print the hash string starting with `$office$*2013*` for mode 9600.

Office 2016, 2019, 2021, 365 produce identical hash format — Hashcat treats them all as mode 9600. There's no per-version differentiation because the encryption parameters are identical.

Files in this category in 2026

Mode 9600 is the dominant generation for 2014-2026 Office documents. Almost any password-protected .docx/.xlsx/.pptx created in the last decade is in this mode. Common sources: enterprise document management exports from any modern company, freshly created HR/legal/financial documents, archive exports from corporate file servers.

Microsoft 365 (formerly Office 365) defaults to mode 9600 for password-protected exports. Users who add a password to a document via File → Info → Protect Document → Encrypt with Password produce mode 9600 files.

Recovery realism

For modern Office files, the recovery question is even more password-strength-dependent than older modes because per-attempt cost is higher. Short or predictable passwords (under 8 characters, dictionary words, year+word patterns) remain recoverable. Strong random passwords from a manager are not realistically recoverable on any reasonable budget.

The honest position: many corporate Office files use predictable passwords (department name + year, project codename, company-standard pattern). These are recoverable. Personal manager-generated passwords typically are not. We tell you what we found in free check before any paid attempt.

Frequently Asked Questions

Related references