David LeBlanc wrote an excellent overview of encrypted documents in Office.  A long, long time ago, I worked on the Word conversions team (it wasn’t even called Office then).  As part of my job, I wrote a document encryption filter. 

More specifically, I wrote (around 1990 or so) a document obfuscation filter.  I say ‘obfuscation’ because one of the requirements was that the password had to be stored with the (encrypted) document.   Of course, that rendered any possible security null and void, but the customer needed to be able to recover documents with forgotten passwords.

When David talks about XOR obfuscation, I believe that the incredibly weak security was a ‘feature’, not a bug – quite a few companies wanted to be able to prevent casual snoopers from reading their documents, but also wanted to be able to recover from a forgotten password.

DES was a standard in 1990 (it didn’t really fall until 1998), and I know the Office devs had an implementation around to use, as my manager wrote a real encryption filter using DES a couple of months after I wrote my obfuscation filter.