I was recently asked about a Microsoft Word document containing a CV that was created some time ago however this CV was password protected.
Unfortunately, the password had been forgotten, and no original copy of the document existed - so this is a quick overview on how to recover that forgotten password - I obtained permission from the document home before I attempted these actions.
Tools Used
To perform this task, I used:
- John the Ripper (Jumbo build)
- The
office2john.pyhelper script - The
rockyou.txtwordlist
John the Ripper does not operate directly on Word documents, so the first step was to extract the password hash into a format that John understands.
Step 1: Extracting the Word Password Hash
I started by extracting the hash from the protected Word document using office2john.py.
office2john.py protected.docx > word.hash
This converts the document’s password protection into a hash string that can be processed by John the Ripper. I verified the file was created correctly by inspecting its contents.
cat word.hash
The output contained a single $office$ hash, confirming that the extraction had completed successfully.
Step 2: Running John the Ripper with a Wordlist
With the hash extracted, I ran John the Ripper using a dictionary-based attack. For this test, I used the rockyou.txt wordlist and referenced it using its full path to avoid ambiguity.
On my system, the wordlist was located at:
/usr/share/wordlists/rockyou.txt
The cracking command was executed as follows:
john --wordlist=/usr/share/wordlists/rockyou.txt word.hash
John immediately began testing candidate passwords from the wordlist against the extracted Office hash.
Within seconds, John reported that the password had been cracked and advised using the --show option to display the confirmed result.
Step 3: Verifying the Cracked Password
To retrieve the authoritative result, I ran:
john --show word.hash
This produced the following output:
protected.docx:secret
This confirmed that the password protecting the Word document was "secret" as below:
Outcome and Observations
The password was successfully recovered almost instantly using a basic dictionary attack. This outcome highlights several important points:
- The password was a common dictionary word.
- No brute-force or advanced rules were required.
- The document offered minimal real-world protection.
In this case, the recovery was intentional and necessary, as it allowed access to a lost CV. However, the same technique would work just as effectively against any similarly protected document if an attacker gained access to the file.
Conclusion
This exercise reinforces why Microsoft Word document passwords should not be relied upon as a strong security control unless robust password policies are enforced. For sensitive documents, password protection should be combined with encryption at rest, access controls, and proper credential management.
All testing described here was performed on a document I owned, for recovery and educational purposes only.