Password protection on PST files should not be relied upon for security. Outlook uses a CRC32 algorithm rather than a cryptographic hash like MD5 or SHA-1, which makes it trivially bypassable.

Applies to Outlook 97–2003 (ANSI format PST files). Outlook 2007 and later use the Unicode PST format, though PST password protection remains weak and should not be considered a security control in any version.

CRC32 is not designed for security — it’s a checksum algorithm meant for error detection. Because of this, multiple different passwords can produce the same CRC value. More critically, a CRC value of zero requires no password at all, and the following strings are all known to generate a zero value:

eyzVS1 tHPuT3 5J8j84 EvIoh4 TGcLo6

Any of these will open a password-protected PST file regardless of what password was originally set.

If protecting PST data is a requirement, password protection alone is insufficient. Filesystem-level security, EFS encryption, or third-party tools should be used instead.

(Source: https://www.nirsoft.net/articles/pst_password_bug.html)