OneNote Password Recovery
OneNote's password protection is different from every other Office app. It encrypts individual sections — not the whole notebook, not the file, not a folder — and it does so with section-specific keys that Microsoft never sees. Each protected section carries its own AES key material derived from the password you typed when you ticked the "Password Protect This Section" box years ago. If you forget that password, no Microsoft support ticket, no reinstallation, no account reset can recover it. This guide explains what OneNote actually encrypts, the exact algorithms used across versions, and how to approach recovery with hashcat and office2john.
Section-Level Encryption — A Design Decision
Unlike Word, Excel or PowerPoint, which wrap the entire file in a single AES envelope, OneNote keeps a notebook organised as a tree of independently-stored sections. A notebook is really a folder on disk containing one .one file per section, plus a .onetoc2 table of contents. When you password-protect a section, only that one .one file is encrypted; everything else in the notebook remains plain. The tab in the section navigation still appears, with a small padlock icon, but clicking it prompts you to enter the section password before any content displays.
This is a genuinely useful feature. You can keep a shared notebook with colleagues and have a single private section ("Salary notes", "Interview prep") that only you can open. You can protect sections individually with different passwords for different purposes. You can have half a notebook sync-able through OneDrive and the other half fully encrypted from Microsoft's view. Enterprise-grade features on a personal-grade product.
The downside is that each section password is a point of single failure. Forgetting a section password loses that one section but not the rest of the notebook. Users who routinely protected every section with a different password — which OneNote encourages — then forget one and discover that the other nine are fine while section four is permanently inaccessible.
Exactly What Gets Encrypted
When you password-protect a section, OneNote derives a key from your password and encrypts the section's content stream (all pages, embedded images, file attachments, ink strokes) with that key. The metadata — section title, page titles, creation dates — stays partially visible in the table of contents, but the actual page bodies are sealed. Search across your notebook cannot match words inside a locked section. Print, export, copy, and even OneNote's own "Recent Edits" feature skip locked sections.
On disk, a locked section appears as a normal .one file but starts with a different header marker. Open it in a hex editor and the plain OneNote signature {7B 5C 50 4F} is replaced by an encrypted-section marker. office2john recognises these markers and extracts the relevant hash fields.
Microsoft holds no copy of the password or the derived key. When your notebook syncs to OneDrive, the encrypted .one file is uploaded as-is; the cloud never sees the plaintext. This means Microsoft support cannot help and also means that a OneDrive-stored protected section is as safe as a locally-stored one — the security boundary is the password, not the location.
Encryption Algorithms by Version
| Version | Cipher | Key derivation | Recovery chance |
|---|---|---|---|
| OneNote 2003 / 2007 | RC4 | SHA-1, no salt iteration | High, fast |
| OneNote 2010 / 2013 | 3DES | SHA-1, 50,000 iterations | Dictionary, 40-60% |
| OneNote 2016 / 2019 / 365 | AES-128 | SHA-1, 50,000 iterations | Dictionary, 30-50% |
| OneNote for Windows 10 (deprecated) | AES-128 | SHA-1, 50,000 iterations | Dictionary, 30-50% |
The 50,000 PBKDF2 iterations in modern OneNote are an order of magnitude fewer than modern Office file encryption (100,000 SHA-512), which makes OneNote marginally easier to brute-force per password guess on GPU hardware. On a single RTX 4090 you can test roughly 8-10 million candidates per second against OneNote 2016 — compared to about 3-5 million for Office 2016 Excel files.
Section password ≠ Microsoft account password
Users routinely email us saying "I reset my Outlook password but the OneNote section still asks for one." Two completely separate passwords. The Microsoft account password lets you sign in to OneDrive where the notebook is stored. The section password is the cryptographic key to the section contents, typed once at creation time and never transmitted to Microsoft. Resetting one does nothing to the other.
Where OneNote Stores the File You Need
To run any recovery tool you need the .one file on disk, not a cloud reference. The file location depends on how your notebook is configured:
- Local notebooks (on your own drive): Whatever folder you chose when creating the notebook, typically
Documents\OneNote Notebooks\YourNotebook\YourSection.one. - OneDrive-synced notebooks: The cached copy lives at
%LOCALAPPDATA%\Microsoft\OneNote\16.0\cache\. Files there are renamed to GUIDs — use the modified-date to find the section you care about. - SharePoint / Teams notebooks: The cached sync location is the same as OneDrive, but only for sections you have opened at least once in the desktop client.
If you only ever used OneNote on the web or on an iPad, you may not have a .one file anywhere on your own machine. The trick: open the notebook once in OneNote desktop, click every section once to force a sync, then quit OneNote. Now the cached .one files exist.
Extract the Hash with office2john
office2john.py ships with the jumbo build of John the Ripper. Despite its name it handles OneNote .one files starting from the 2019 jumbo release. The workflow:
# Clone john jumbo git clone https://github.com/openwall/john.git cd john/run # Extract hash from a OneNote section file python3 office2john.py /path/to/locked-section.one > onenote_hash.txt # Inspect — should look like: # locked-section.one:$office$*2016*100000*128*16*<salt>*<verifier>*<verifier_hash>
The hash format overlaps with regular Office 2016 file encryption because Microsoft re-used the same PBKDF2/AES-128 primitives. For that reason the hashcat mode is the same as for an Excel 2016 file — mode 9600 — even though the source file is a OneNote section.
Run hashcat
The classic dictionary-plus-rules attack covers most real-world passwords:
hashcat -m 9600 -a 0 onenote_hash.txt rockyou.txt -r rules/best64.rule # Then escalate if no hit: hashcat -m 9600 -a 0 onenote_hash.txt rockyou.txt -r rules/T0XlC.rule # Mask attack for short all-lowercase: hashcat -m 9600 -a 3 onenote_hash.txt ?l?l?l?l?l?l?l?l # Year-appended common passwords: hashcat -m 9600 -a 6 onenote_hash.txt common.txt ?d?d?d?d
On a single RTX 4090 the full rockyou.txt dictionary (14 million entries) against OneNote 2016 takes roughly 25 minutes with best64 rules. T0XlC rules expand the candidate set by a factor of sixty and take correspondingly longer, but catch leetspeak and capitalisation variants. If nothing hits after rockyou+T0XlC, the password is most likely not in any public dictionary and your best bet is a mask attack aimed at the character classes and length you remember.
When You Half-Remember the Password
OneNote users tend to protect sections with informal passwords tied to the section's content — a project codename, a birthday, a pet name plus a year. If you half-remember the password, a custom mask almost always beats a pure dictionary attack. For example, if you think the password starts with "Luna" and ends with a four-digit year:
hashcat -m 9600 -a 3 onenote_hash.txt Luna?d?d?d?d # 10,000 candidates total — runs in under a second
If you think the password was "the name of my dog capitalised, with a ! at the end":
# Build a small custom wordlist of dog names echo -e "Rex\nBuddy\nMax\nLuna\nCharlie" > dogs.txt # Attack: dog name + ! hashcat -m 9600 -a 6 onenote_hash.txt dogs.txt ?s
This kind of targeted attack is where user-supplied hints help enormously. Our recovery service accepts hints in the upload form — "probably starts with my initials JS" — and builds a tailored attack plan around them before falling back to generic dictionaries.
What You Cannot Do
A number of shortcuts do NOT work for OneNote section recovery, and we keep seeing users try them:
- Copy the section inside OneNote. OneNote refuses — the clipboard protection cannot be turned off.
- Export to PDF. The File → Export menu greys out protected sections.
- Read the .one file in a text editor. You see an encrypted binary blob, not the text.
- Reset the Microsoft account password. No effect — Microsoft has no copy of the section key.
- Reinstall OneNote. Reinstalling does not change the encryption.
- Open on a different computer. The .one file syncs down already encrypted; same result.
- Contact Microsoft Support. They will confirm they cannot help.
The only genuine recovery path is guessing the password through computational attack — either locally on your own GPU or through a recovery service.
Good Practice Going Forward
Since OneNote section passwords are unrecoverable if you forget them, a small amount of discipline avoids future disasters:
- Store the section password in a password manager the instant you set it — before you even click OK.
- Use one strong, memorable password across related sections rather than ten weak ones you cannot keep track of.
- Export to PDF periodically. OneNote's File → Export → Section as PDF creates a searchable archive you can stash separately. It does require you to unlock the section first, but you can do it while you still remember.
- Include a password hint in the section title. "Budget ideas (Q for quarterly code)" reminds you which password you used without spelling it out.
Upload your .one file for a free check
We run OneNote section files through the same GPU pipeline used for Office passwords. The free check covers 140M+ common passwords and typical hint-based patterns (names, years, codes) and finishes in about ten minutes. For stronger passwords we run a 24-hour targeted attack if you supply hints. You do not pay unless the password is recovered.
Frequently Asked Questions
Does OneNote encrypt the whole notebook?
No. OneNote encrypts at the section level. A notebook can have a mix of protected and unprotected sections, each with its own independent password. The section tabs remain visible in navigation even when locked.
Is my OneDrive password the same as my OneNote section password?
No. OneDrive credentials authenticate the sync; they do not unlock section contents. A protected section remains encrypted in the cloud — Microsoft cannot read it and cannot reset it.
Why does OneNote ask for the password every 10 minutes?
OneNote expires the in-memory decrypted key after ten minutes of inactivity by default to reduce the shoulder-surf risk. Adjust the timeout in File → Options → Advanced.
Can I export a protected section to PDF without the password?
No. OneNote refuses export, print, search and copy until the section is unlocked in memory. There is no bypass from inside the app.
What encryption algorithm does OneNote use?
OneNote 2007 used RC4. 2010 and 2013 used 3DES with SHA-1 and 50,000 PBKDF2 iterations. 2016 and later use AES-128 with the same key-derivation settings. The modern OneNote cipher is comparable to Excel 2013 file encryption.