Microsoft Project MPP Password Recovery
Project plans saved as .mpp files sit in a peculiar corner of the Office family. Microsoft Project is sold as a standalone product, never bundled with core Office, yet its file format shares the entire cryptographic pipeline with Word, Excel and PowerPoint. That means a forgotten password on a Project 2007 file responds to exactly the same hashcat attacks as a forgotten Excel 2007 workbook, a Project 2003 file decrypts in seconds with the same RC4 40-bit guaranteed technique as an old .xls, and the same version-by-version tradeoffs apply. This guide covers the complete landscape from Project 98 through Project 2021 and the modern Project for the Web, including practical hash extraction, GPU attack tuning, and what to do about the surprisingly large volume of legacy password-locked MPP files that still haunt enterprise PMO archives.
Why PMO Teams Password-Lock MPP Files
Before diving into cryptography, a quick reality check on where these locked files come from. In our production queue, the source of a password-protected .mpp is overwhelmingly one of three situations. First, a departing senior PM who saved schedules for regulated projects (pharma trials, utility rollouts, defence contracts) with a "safety" password and never told anyone. Second, consultancy deliverables where the vendor set a password so the client could not edit the baseline schedule without going through a change-control process. Third, legacy project archives dating back to Project 98/2000/2002 that were routinely password-protected by the original PM as a matter of habit, and where the original author is long since retired.
All three scenarios share a common pattern: the organisation has a legitimate need for the data (audit, historical baseline review, dispute resolution) but nobody remembers the password. Recovery is routinely authorised by a company's legal or IT team rather than being an end-user DIY task. That in turn means the cost of professional recovery is usually billed, and the tolerance for a 24-48 hour GPU attack is much higher than in consumer contexts.
Version Matters More Than Anything
Because the .mpp extension has been used since Project 1.0 in 1990, the single filename can hide any of eight distinct file formats with wildly different encryption strengths. Identifying which version wrote a given file is the single most important step in recovery. There are two ways to do this: look at the file's internal signature, or ask Project itself (via File → Info → Properties) if you have a working copy installed.
| Project version | Year | Container | Encryption | Recovery |
|---|---|---|---|---|
| Project 98 | 1997 | OLE2 | Read-only flag or RC4 40-bit | Instant, 100% |
| Project 2000 / 2002 / 2003 | 1999-2003 | OLE2 | RC4 40-bit | Hours, guaranteed |
| Project 2007 | 2006 | OOXML envelope | AES-128 SHA-1 (50K rounds) | Dictionary, 55-70% |
| Project 2010 | 2010 | OOXML envelope | AES-128 SHA-1 (100K rounds) | Dictionary, 45-65% |
| Project 2013 / 2016 | 2012-2015 | OOXML envelope | AES-128 SHA-512 (100K) | Dictionary, 30-50% |
| Project 2019 / 2021 | 2018-2021 | OOXML envelope | AES-256 SHA-512 (100K) | Dictionary, 25-45% |
| Project for the Web / Project Online | 2020+ | SQL database (cloud) | Account-level, no file password | Not applicable |
Percentages reflect real recovery rates on human-chosen passwords in our enterprise queue. Random-generator passwords (from 1Password, LastPass, Bitwarden) are not recoverable on 2010+ files within any reasonable time budget.
Project 2003 and earlier: guaranteed recovery
Because Project 2000/2002/2003 files use the same 40-bit RC4 scheme as Office 97-2003 Word and Excel, they are on our guaranteed recovery list. We decrypt any .mpp from that era within hours regardless of the original password. Upload the file on the home page, pay once the password is recovered, and we email you the unlocked copy.
Identifying Your Project Version Without Project Installed
Many people asking for MPP recovery no longer have Project installed — the licence lapsed, the PM who owned it left, or they work on a different team now. You can still identify the version from the file itself. Open the .mpp in a hex editor such as HxD and inspect the first 512 bytes. Three patterns distinguish the eras:
# OLE2 Compound Document (Project 98 through 2003) First 8 bytes: D0 CF 11 E0 A1 B1 1A E1 Within the 'SummaryInformation' stream look for 'Microsoft Project 4.0/4.1/2000/2002' # OOXML Encrypted (Project 2007+) First 8 bytes: D0 CF 11 E0 A1 B1 1A E1 (still OLE2 envelope) But the streams now include 'EncryptionInfo' and 'EncryptedPackage' The EncryptionInfo version number tells you the sub-variant: Version 3.2 -> Project 2007 Version 4.4 -> Project 2010+ Agile/ECMA-376 -> Project 2013+ # Unencrypted .mpp (no password) Same OLE2 envelope but no EncryptionInfo stream.
If you are on a Mac or Linux machine without Project, the olefile Python library dumps the internal streams in one command:
pip install olefile python3 -c "import olefile, sys; ol=olefile.OleFileIO(sys.argv[1]); print(ol.listdir())" plan.mpp
Extract the Hash with office2john
For any Project 2007+ file, the recovery workflow is identical to Word/Excel/PowerPoint 2007+. Clone john-the-ripper jumbo (git clone https://github.com/openwall/john) and use the bundled office2john.py script. Despite the name, the script handles .mpp files transparently because they are structurally Office documents.
# Extract the hash python3 run/office2john.py quarterly_plan.mpp > hash.txt # Example output (Project 2013): quarterly_plan.mpp:$office$*2013*100000*256*16*2b3f1... # Use the numeric version field to pick the right hashcat mode: # 2007 -> -m 9400 # 2010 -> -m 9500 # 2013 -> -m 9600 (Office2013 mode, covers 2013/2016/2019/2021)
Note the raw 256 in the example above indicates AES-256 key size (Project 2019+), while 2013+ files with AES-128 show 128. Hashcat mode 9600 covers both variants within the same numeric mode — hashcat internally branches on the key size.
GPU Attack Strategy
MPP passwords in the enterprise world have a distinctive statistical shape that differs noticeably from consumer Office passwords. The following attack ladder reflects what we actually run in production against paying customers' MPP hashes and explains the measured recovery rates in our table above.
Phase 1 — Targeted 140M dictionary, 15 minutes
Start with a curated 140 million entry dictionary that combines rockyou, HashKiller leaks, and our internal enterprise password list (scraped legally from public breach dumps and cleaned). Run with the T0XlC rule set, which applies common case / substitution mutations. Covers 30-45% of MPP recoveries alone.
hashcat -m 9600 -a 0 hash.txt big-140M.txt -r rules/T0XlC.rule --workload-profile 3
Phase 2 — Project-codename mask, 30 minutes
Enterprise MPPs are frequently named after project codenames: "Atlas", "Phoenix", "Everest", "Helix", followed by a year or version digit. A mask hybrid attack with a 5000-entry codename dictionary and year-like suffixes catches another 15-20%.
hashcat -m 9600 -a 6 hash.txt codenames.txt ?d?d?d?d hashcat -m 9600 -a 7 hash.txt ?u?u codenames.txt
Phase 3 — Full rockyou + OneRule, 4 hours
If the first two passes fail, bring the big guns. The OneRuleToRuleThemAll set applied to rockyou generates ~1.5 trillion candidates. On a 6-GPU rig this runs overnight and catches another 10-15% of MPP passwords.
Phase 4 — Mask brute, 24+ hours
For passwords clearly outside the dictionary space (all lowercase + digits up to length 10, or mixed-case + digits up to length 9) a raw mask attack is the only remaining option. Runs 10-72 hours depending on mask and GPU count. Recovers another 5-10%.
"I forgot the password" versus "I want to bypass change control"
Password recovery is a legitimate service for files you own and have a legitimate need to open. It is also commonly abused to bypass a vendor's change-control process on a client-delivered MPP. We will decrypt any file you upload and are not in a position to arbitrate your internal governance — but if you are breaking a change-control lock that someone else put in place, talk to them first. Vendors routinely provide the password when asked, because the lock is a procedural speed bump and not a security control.
Project for the Web and Project Online: No File Password
Microsoft 365 ships two modern cloud-based project management products under the Project brand: Project for the Web (the consumer / small-business offering, tightly integrated with Microsoft Planner and Power Platform) and Project Online (the enterprise successor to Project Server). Neither uses .mpp files as a native storage format. Plans live in a SQL-backed service; access is controlled by your Microsoft 365 account and the permissions assigned by the plan owner.
This means there is no file password to forget. If you cannot open a plan hosted in Project Online, the question is whether your Microsoft 365 account has been granted permission — which is resolved through the project owner or your tenant admin, not through cryptographic recovery. Users sometimes export a plan to .mpp for local editing or archival, and then set a file password on the export. Those files are in scope for this guide; they behave exactly like Project desktop files of the corresponding version.
Common Scenarios We See in the Queue
"Our construction consultancy delivered the schedule in 2019 and set a password. They are out of business."
Project 2013+ AES-128 SHA-512. Run our Phase 1 + Phase 2 attacks against consulting-firm name patterns and city-name dictionaries. Success rate ~60%.
"I inherited a folder of Project 2000 schedules for a decommissioning audit."
Project 2000 = RC4 40-bit. Guaranteed recovery. Upload the whole folder; we process each file within an hour.
"The IT director protected all MPPs with a 16-character random password before leaving."
If the password really was random, a 16-char password on Project 2016 is mathematically infeasible. Best course is to subpoena or legally request the password from the former employee via HR.
"The MPP opens but some tasks are highlighted with a padlock."
That is task-level protection, not file-level encryption. It is a UI flag inside the .mpp, trivially removable by any tool that parses the OLE2 streams. Not the same as the file-open password this page covers.
Upload your MPP for recovery
We offer a free check against common passwords and legacy Office recovery paths on every uploaded .mpp. Old .mpp files (2003 and earlier) are in the guaranteed recovery list with the same $34.99 release price after proof. See the supported file types page for the full list of Office formats we handle.
Frequently Asked Questions
What is a .mpp file?
The native format of Microsoft Project. Contains tasks, resources, Gantt chart, baseline, budget and dependencies. Sold standalone (not bundled with Office), but uses the same encryption pipeline as Word/Excel/PowerPoint.
Does Project 2007 use the same encryption as Office 2007?
Yes — AES-128 with SHA-1 key derivation inside an OOXML encryption envelope. office2john extracts the hash and hashcat mode 9400 attacks it, exactly as for Word/Excel/PowerPoint 2007.
I have a really old .mpp from 1998. Can you unlock that?
Instantly — Project 98/2000/2002/2003 use RC4 40-bit encryption, which is on our guaranteed recovery list. Turnaround is hours, and release is $34.99 after proof regardless of the original password.
Does Project Server / Project Online have a password?
No. Plans in Project Online/Project for the Web live in a cloud SQL database. Access is per-user account. A .mpp password only appears when a plan is exported locally.
What is the realistic recovery rate?
55-70% for Project 2007/2010 and 25-55% for Project 2013+. Enterprise passwords respond well to targeted dictionaries built around project codenames, company names, and year/version patterns.
Related Guides
A note for PMO leads
If you are responsible for a PMO archive, consider documenting password-protection practice explicitly in your PM handbook and enforcing a "no file-level password" policy for anything going into corporate archival storage. File passwords are lost routinely, break backup deduplication, and provide no audit trail. Shared-drive NTFS permissions, SharePoint sensitivity labels, or Project Online role-based access all offer better protection without the "one person who left" single point of failure.