Can I recover the original password rather than just remove it?

You can brute-force candidate passwords that hash to the same 32-bit value, which tools like pst2john and hashcat mode 8500 (or the legacy pstpassword tool) do in seconds. Because the hash is only 32 bits, thousands of strings collide with the stored value — you will recover a password that Outlook accepts, but not necessarily the exact string you originally typed. For simply regaining access this is equivalent.

Does Outlook 2019, Microsoft 365 or new Outlook use PST files?

Outlook classic (2019, 2021, and the perpetual-license desktop client shipped with Microsoft 365) still uses PST and OST files and retains the 32-bit hash. The 'new Outlook' client (rolling out in 2024-2026) is essentially Outlook on the Web repackaged and does not use PST files at all — your mail lives on the server, so there is no offline archive to password-protect. If you have a .pst file, you have the legacy format.

What about an OST file? Can I recover that password?

An OST is a synchronized cache of a server mailbox. It has no independent password per se and cannot be opened by a different user or on a different machine — not because of cryptography, but because the file is tied to an AD/Exchange account and the encryption key is tied to your Windows profile. The correct recovery path for an OST is to regain access to the Exchange account and re-sync, which generates a fresh OST. There is no offline recovery of OST contents without the mailbox credentials.

Why did Microsoft never fix this weakness?

The PST password was never intended as security — Microsoft has openly documented it as 'deterrent only'. Real protection for Outlook data is supposed to come from EFS (Encrypting File System), BitLocker full-disk encryption, or Information Rights Management on individual messages. Rewriting the PST format to use modern cryptography would break decades of backup software, migration tools and recovery utilities, so Microsoft has kept the weak scheme for backward compatibility.

Outlook .pst Files

Outlook PST Password Recovery

Q: Is the Outlook PST password really only 32 bits?

Yes. Since the original PST format in Outlook 97, the password is stored as a 32-bit CRC-style hash rather than as an encryption key. The actual mail contents are encoded with a simple compressible-encryption (CE) or high-encryption (ENCRYPT_HIGH) cipher, but neither is keyed to the password. Removing the password is a matter of zeroing the hash field in the header — it takes milliseconds.

The Outlook .pst password is the oldest and weakest of all Microsoft Office password mechanisms still in use in 2026. It has been documented as "deterrent only" by Microsoft engineers since the late 1990s, yet it still appears in Outlook 2019 and the perpetual-license Microsoft 365 desktop client. A PST password, no matter how long or random, can be removed in under a second because it is stored as a 32-bit CRC-style hash rather than as the key to any actual encryption. This guide explains exactly why, how to recover access, where the .ost file format differs, and what happens with the brand-new Outlook client that ships without PST support at all.

PST Versus OST: Know Which File You Have

Before anything else, check the file extension. A PST (Personal Storage Table) is a self-contained mail archive. Outlook creates one automatically for POP3 accounts, and any user can manually export messages, contacts and calendar items from Exchange, IMAP or Microsoft 365 into a PST for backup or migration. A PST can be carried on a USB stick, attached in Outlook as a secondary data file, opened with PST viewers, and — unfortunately for people who forget their password — has been protectable with a password since Outlook 97.

An OST (Offline Storage Table) is a different animal. It is a locally cached copy of a server mailbox (Exchange or Microsoft 365). Outlook creates the OST transparently whenever you add an Exchange-style account in Cached Exchange Mode. The OST is tied to the account's unique object identifier and to the Windows profile that created it. You cannot open an OST on another machine or under another user account, and there is no independent password to recover — the "password" for OST data is implicitly the account credentials that Outlook used when creating the cache.

Practical implication. If your file ends in .pst, this guide applies. If it ends in .ost and you have forgotten the Exchange account password, your recovery path is not here — it is resetting the Exchange account, reopening Outlook, and letting a fresh OST synchronize. The old OST is effectively disposable.

Inside the PST File: Why the Password Does Not Matter

Microsoft publishes the PST format as [MS-PST] in its Open Specifications programme. Anyone can read it. The document spells out three things about security: the password is a 32-bit CRC-style hash derived from the ASCII password text, the mail body is scrambled with either Compressible Encryption (CE) or High Encryption (trivial XOR-substitution ciphers), and neither scrambling method is keyed to the password. In other words, the data is "encrypted" whether or not you set a password — the password only controls whether Outlook refuses to display the UI until you type a matching string.

The 32-bit hash is stored in a header record called pstPassword inside the PST root. A recovery tool that wants to remove the password simply opens the file, seeks to that field, and zeros the four bytes. Outlook will then open the file without prompting. A recovery tool that wants to compute a matching password picks a candidate, runs the hash, and compares — because there are only 2³² possible values, thousands of short strings collide with any given stored hash. Finding one takes seconds on any CPU.

# Outline of the PST password hash (from [MS-PST])
# For each byte of the password string, XOR into a rolling CRC32
# using the CRC_TABLE published in the spec. Truncate to 32 bits.

def pst_hash(password):
    crc = 0
    for ch in password.encode("ascii"):
        crc = CRC_TABLE[(crc ^ ch) & 0xFF] ^ (crc >> 8)
    return crc & 0xFFFFFFFF

# 2^32 possible outputs means thousands of short passwords collide
# with any given hash. Brute-forcing a matching candidate is trivial.

Outlook versions that use this exact mechanism, verified against the specification and open-source libpff / pypff test corpora, include Outlook 97, 2000, 2002 (XP), 2003, 2007, 2010, 2013, 2016, 2019 and 2021. The perpetual-license desktop client shipped alongside Microsoft 365 uses the same PST format. In thirty years of product evolution the protection has not been strengthened by a single bit.

A long PST password is no stronger than a one-letter password

Because the hash is only 32 bits wide, a password of ten random printable characters and a password of "a" collapse into the same 4-billion-value space. Any recovery tool reaches either one equally fast. If you are choosing a PST password for real security, do not — use BitLocker or EFS on the drive instead, or attach the PST to an Exchange Online mailbox and let server-side encryption handle it.

Step-by-Step: Removing the Password

Close Outlook. Confirm OUTLOOK.EXE is not in Task Manager. If the PST is still attached it will have an exclusive lock.
Copy the PST. Work on a duplicate. Mail archives are irreplaceable; never run a recovery tool on your only copy.
Run a PST password remover. Free options include the classic "pst-password" command-line tool (Windows), readpst in the libpst suite (Linux/macOS, part of most distributions), or Python scripts built on pypff. All three produce a recovered password in under a second, or zero the hash field if that is what you prefer.
Alternative: hashcat mode 8500. If you prefer the hashcat workflow, run pst2john.py yourfile.pst > hash.txt and then hashcat -m 8500 hash.txt -a 3 ?a?a?a?a?a?a. The mask covers 6-character printable ASCII and completes in milliseconds on any GPU.
Reattach in Outlook. Open Outlook, go to File → Open & Export → Open Outlook Data File, select the PST. If you wiped the hash, Outlook opens it with no prompt. If you recovered a password, type it in.
Change or remove the password. File → Account Settings → Data Files → select the PST → Settings → Change Password. Clear both fields to remove protection, or set something new for record-keeping.

Recovery Success Rates by Outlook Version

Outlook version	PST format	Hash	Recovery
Outlook 97 / 98	ANSI PST (2 GB limit)	32-bit CRC	Instant, 100%
Outlook 2000 / 2002 / 2003	ANSI PST or Unicode PST	32-bit CRC	Instant, 100%
Outlook 2007 / 2010	Unicode PST (20 GB / 50 GB)	32-bit CRC	Instant, 100%
Outlook 2013 / 2016 / 2019 / 2021	Unicode PST	32-bit CRC (unchanged)	Instant, 100%
New Outlook (2024+)	No PST support	N/A (server-side)	Reset account credentials

The column is identical for every perpetual Outlook version because the format has not changed. The only real break point is the move in 2024 to the new Outlook, which does not store mail locally and has no per-file password.

Hashcat Command Cheatsheet

# Extract hash from PST (pst2john ships with john-jumbo)
python3 pst2john.py archive.pst > hash.txt

# Brute-force all 6-char printable ASCII (completes in under a minute on CPU)
hashcat -m 8500 -a 3 hash.txt ?a?a?a?a?a?a

# Dictionary attack using rockyou
hashcat -m 8500 -a 0 hash.txt rockyou.txt -r rules/best64.rule

# The 32-bit hash space is so small that exhaustive mask up to 8 chars finishes
# in minutes on any CPU, no GPU needed
hashcat -m 8500 -a 3 hash.txt --increment --increment-min=1 --increment-max=8 ?a?a?a?a?a?a?a?a

Note that because the hash is so narrow, the "password" hashcat finds may not be the original string — it will be a collision. Outlook will still accept it. If for legal or chain-of-custody reasons you need the exact original password (for example if the PST is evidence in a civil matter), ask your forensic tool to print all collisions up to some length and cross-reference against known user password patterns.

What About the OST File?

OST files come up constantly in support requests because users see them in their local AppData folder and assume they are the mail archive. They are not — they are a disposable cache. When you add an Exchange, Microsoft 365 or Outlook.com account to Outlook classic in Cached Exchange Mode, Outlook creates %LOCALAPPDATA%\Microsoft\Outlook\username@domain.ost and synchronizes the server mailbox into it. The OST is encrypted with a key derived from DPAPI and tied to your Windows user SID; it cannot be opened by another user, on another machine, or after the account has been removed from Outlook.

This means there is no such thing as an "OST password" to recover. What people actually need in this scenario is one of three things:

They forgot the Exchange / Microsoft 365 account password. Reset it through the IT admin or the Microsoft account recovery flow. Reopen Outlook. A new OST will build automatically.
They lost the Windows profile that created the OST (fresh install, disk failure). Unrecoverable from the OST alone. You must regain Exchange access and re-sync.
They want to convert OST to PST. Many commercial utilities offer this, but all of them require the Outlook profile that owns the OST to be functional. You cannot convert an "orphaned" OST without the original DPAPI key.

The New Outlook and the End of PST

In 2024 Microsoft began rolling out the "new Outlook for Windows" client, which replaces the classic Win32 Outlook for many users over the following few years. The new Outlook is essentially Outlook on the Web wrapped in a desktop frame. It does not use PST files at all. Mail, contacts and calendar live on the server; local caching uses IndexedDB inside the Edge WebView2 runtime. There is no separate file to password-protect, and therefore no separate password to forget.

This is genuinely good news for security. The 32-bit PST password was never fit for purpose; removing PST from the product line closes the weakness by deletion. It is less good news for people who relied on PST export as a migration tool — the new Outlook has only limited export capability and is missing many PST-era features. Microsoft has committed to maintaining classic Outlook in parallel until at least 2029, so PST password recovery will remain a common request for years yet.

We unlock PST files for free

Because removing a PST password takes under a second, we do not charge for it. If you want us to do it for you rather than running pst2john locally, upload your file and we will return the recovered password within minutes. The guaranteed recovery list includes PST alongside PDF R=2 40-bit and Office 97-2003 40-bit files. For paid Office recovery (2007+) see our Excel guide and Word guide.

Upload PST for instant recovery

Common Misunderstandings

"I set a 25-character password on my PST, it is safe."

Not from anyone with five minutes and an open-source tool. The 32-bit hash collapses any password length to the same search space. Use BitLocker or EFS for real protection.

"My OST is the one with the password — I need to brute-force it."

The OST has no password field separate from the Exchange account. What you are seeing is the Windows credential prompt for the account itself. Reset the account, not the file.

"PST password recovery tools cost $50 — that must be because it is hard."

No, it is because the market is used to paying. The underlying operation takes a fraction of a second. Free tools achieve the same result; the paid ones simply wrap a friendlier UI around identical code.

"I exported a PST from Microsoft 365 — is it safer than the old one?"

The file format is still PST. Once exported, it uses the same 32-bit hash and the same encoding ciphers. Server-side tenant protection does not follow the file off the server.

Frequently Asked Questions

Is the Outlook PST password really only 32 bits?

Yes. The password is stored as a 32-bit CRC-style hash. The mail content encoding is fixed and not keyed to the password. Length and complexity of your password are irrelevant — all passwords collapse into the same 4-billion-value hash space.

Can I recover the original password, not just a collision?

Not reliably. The hash is so narrow that thousands of short strings collide. You will recover a password Outlook accepts. For exact-original-string recovery (e.g., legal evidence), enumerate collisions and cross-reference against known patterns — but do not expect certainty.

Does Outlook 2019 or Microsoft 365 still use PST?

The classic Outlook client (including the one bundled with Microsoft 365 perpetual licences through 2021 and beyond) uses PST and OST. The new Outlook client rolling out from 2024 does not use PST at all — mail lives on the server.

What about OST files?

OST is a cache of a server mailbox, not a password-protected archive. Recovery for an OST means regaining access to the associated Exchange or Microsoft 365 account. Orphaned OST files without the original Windows profile cannot be decrypted.

Why has Microsoft never strengthened the PST password?

Microsoft has repeatedly stated the PST password is 'deterrent only'. Real Outlook data protection is supposed to come from BitLocker, EFS or IRM. Keeping the weak scheme preserves backward compatibility with decades of backup, migration and archive tools.

Related Guides

A note on PST security going forward

If your organisation relies on PST files for archival, treat them as unencrypted. Protect the storage medium with BitLocker, store the files on an encrypted share, or migrate to a proper archive solution such as Microsoft Purview, Mimecast or Barracuda. The PST password field is a UI prompt, not a security control, and anyone who obtains a copy of the file has unfettered access to its contents within seconds.