2.4.3.3 PST Password Security

PST files support a password-protect feature that requires an end user to enter a pre-defined password before the PST can be opened. In practice, the PST password is just implemented at the UI level, meaning that the password is only required to gain access of the PST through the UI. The password itself is not used to secure the PST data in any way.

Specifically, the CRC-32 hash of the password text is stored in the PidTagPstPassword property in the PC associated with NID_MESSAGE_STORE, and if the property exists and is nonzero, implementations SHOULD prompt the end user for a password, compute the CRC-32 hash of the user password, and verify it against the value stored in PidTagPstPassword. Implementations MUST enforce the PST Password check if a nonzero value for PidTagPstPassword is set in the message store. Further discussion on PST Password Security can be found in section 4.2.