Microsoft Office 40-bit Encryption and Thunder Tables in Advanced Office Password Recovery

December 20th, 2021 by Oleg Afonin
Category: «Elcomsoft News», «Tips & Tricks»

Before the end of this year, we are releasing one last update. Advanced Office Password Recovery can now break 40-bit encryption in Microsoft Office documents, and gains support for Thunder Tables. What are Thunder Tables exactly, and is 40-bit encryption still relevant? Read along to find out.

What’s it all about?

For a very long time, we had two distinctly different tools sharing very similar names. Almost nobody could tell difference between Advanced Office Password Recovery and Advanced Office Password Breaker, let alone pick the right tool for the job. We’re finally ending this madness confusion, getting rid of the other tool and integrating its features into the one and only tool: Advanced Office Password Recovery.

What is it for?

In a word, it’s for quickly breaking the encryption of password-protected DOC and XLS files, which are Microsoft Word and Excel documents saved by modern versions of the app in the “compatibility” format as opposed to the current DOCX and XLSX formats. You’ll be surprised to learn how many companies are still using these “compatible” with Office 97/2000 apps, but totally insecure formats. The following formats are supported:

  • Microsoft Office 97 and 2000: these versions of Microsoft Office use 40-bit encryption exclusively
  • Microsoft Office XP and 2003: 40-bit encryption is used by default; adds optional CSP support
  • Newer versions of Microsoft Office: documents saved as “Word 97-2003 .doc” or “Excel 97-2003 .xls” still using 40-bit encryption


We’ve simplified licensing of the new product, too. Instead of having a number of Home, Standard, Professional and Forensic editions in two different products, we are now featuring just two: Home and Forensic editions. The main difference is the inclusion of Elcomsoft Thunder Tables into the Forensic edition; more on them below.

Microsoft Office: still using legacy encryption in “compatible” formats

So why Microsoft Office apps are still using legacy encryption when you save a document as a .DOC instead of .DOCX? The reason is buried deep in the history.

Microsoft Office 97 was once released with deliberately weak encryption due to US export restrictions. This exact encryption scheme was carried over to Microsoft Office 2000, even though by the time the export restrictions ceased to exist. The native US versions of Microsoft Office could be configured to use somewhat stronger encryption, yet the setting was rarely enabled because of compatibility concerns – the same concerns that are driving many organizations today to keep using the “compatible” DOC/XLS formats for their document workflow.

Technically speaking, the “compatible” formats are using the RC4 cipher for encryption and MD5 for hashing. A deliberately weak 40-bit encryption key and a single iteration of MD5 hashing are used to protect information.

Even 20 years ago, 40-bit encryption was considered weak enough to be cracked in reasonable time. Today, several hours of brute forcing is all you need to break 40-bit encryption on an average consumer-grade CPU; much less if you use a video card.

In other words, Advanced Office Password Recovery today can decrypt a password-protected Word .doc documents or an Excel .xls spreadsheet saved as “compatible” within a guaranteed, limited timeframe. The exact time needed for the attack will depend on your CPU power alone, and will NOT depend on the length and complexity of the user’s password.

However, brute forcing is not even needed to break 40-bit encryption. Meet Thunder Tables!

The Thunder Tables

Back in the day, crunching through the entire set of 40-bit encryption keys would take several days on an average computer. To cut this time, we fully refactored all possible 40-bit keys to build Elcomsoft Thunder Tables ™, an extension of the Rainbow Tables attack. Using Thunder Tables, you can break all compatible Word documents and about 97% of compatible Excel spreadsheets in just seconds instead of hours. The Thunder Tables are available in the Forensic edition of Advanced Office Password Recovery. You can read more about the Thunder Tables in Thunder Tables™ Explained | ElcomSoft blog.

Prior to this release, users would have to obtain Thunder Tables separately by either copying them from the supplied DVD or flash drive or manually downloading them from our Web site. This is no longer the case: Thunder Tables will be downloaded automatically when you need them. Advanced Office Password Recovery automatically detects the document format and the type of encryption, and suggests downloading Thunder Tables if the document uses 40-bit encryption. Thunder Tables are exclusive to the Forensic edition; Home edition users still have an option to brute-force all available 40-bit keys, which is plenty fast on modern CPUs.

Thunder Tables take a lot of space on your computer; think several GB of data. By default, the tables will be stored in %APPDATA%\Elcomsoft Password Recovery\Thunder Tables. If your system drive does not have the amount of free space required, or if you don’t want to store something as large as Thunder Tables on your boot drive, consider specifying a different path. You can do that by editing the
following Registry key:

Computer\HKEY_CURRENT_USER\SOFTWARE\Elcomsoft\Advanced Office Password Recovery\TTPath

No password required

It is important to note that the actual password is not needed to decrypt documents. Instead, we attack the binary encryption key. If, for any reason, you absolutely must recover the password, you can run a GPU-assisted attack that offers speeds in the order of tens of millions password combinations per second.


The Advanced Office Password Recovery update simplifies the recovery of Microsoft Office documents by automatically choosing the best attack, offering guaranteed timeframe decryption for legacy formats and GPU-assisted password recovery for modern documents with strong encryption.



Advanced Office Password Recovery

GPU-accelerated Advanced Office Password Recovery can use powerful processing units of your AMD and NVIDIA video cards to remove, replace or recover passwords protecting Microsoft Office documents faster. Supporting all versions of Microsoft Office from version 2.0 to 2019, the tool allows specifying a variety of masks and attacks. Its highly-optimized low-level code ensures the quickest recovery of the most complex passwords.

Advanced Office Password Recovery official web page & downloads »