Distribute Excel Workbook with licence?

[Mike MacSween]

I have an Excel Workbook I want to distribute. I want to copy protect it. I
want to be able to email/post it to users, on first use they will be
prompted to enter a code, distributed with the workbook, they will then
connect to the web, and receive an 'unlock' key.

The web side of things will need to keep count of how many licences they
have bought.

Any ideas? I thought of doing this via a small vb app, then using one of the
many 3rd party protection systems to protect the vb app, which will in turn
open the workbook (perhaps with an encrypted password?).

Security isn't massively important, this doesn't need to be to banking
standards. I just want to track who has paid for it and prevent casual
copying. It isn't a mass market product to I doubt it'll appear on Warez
sites. The data in the spreadsheet isn't important, it's the structure and
formulae etc. The data isn't sensitive.

Yours, Mike MacSween

 

[Tom Ogilvy]

copy protection on workbooks is so weak, there isn't a lot of use in getting
carried away with it. Any VBA based solution can be overcome by disabling
macros for a start. Any password can be bypassed with a password cracker -
many of which are available on the web.

Files can be copied using Explorer/the command window, so not sure how you
intend to copy protect it.

If the structure and the formulas are what is important, that would be the
hardest to protect if the user needs to able to type things in the workbook.
You would need to put critical logic into a compiled DLL or com addin or
something like that.

 

[Sonny Maou]

I have an Excel Workbook I want to distribute. I want to copy protect it. I
want to be able to email/post it to users, on first use they will be
prompted to enter a code, distributed with the workbook, they will then
connect to the web, and receive an 'unlock' key.

Probably best to write some custom code that can then output Excel files
(if you really want to be able to use Excel).

 

[Alert]

I have an Excel Workbook I want to distribute. I want to copy protect it. I
want to be able to email/post it to users, on first use they will be
prompted to enter a code, distributed with the workbook, they will then
connect to the web, and receive an 'unlock' key.

The web side of things will need to keep count of how many licences they
have bought.

This is entirely feasible. I would suggest that you impliment this
solution with Macros and protect it with standard MS Excel password
protection.

Any ideas? I thought of doing this via a small vb app, then using one of the
many 3rd party protection systems to protect the vb app, which will in turn
open the workbook (perhaps with an encrypted password?).

Security isn't massively important, this doesn't need to be to banking
standards. I just want to track who has paid for it and prevent casual
copying. It isn't a mass market product to I doubt it'll appear on Warez
sites. The data in the spreadsheet isn't important, it's the structure and
formulae etc. The data isn't sensitive.

Yours, Mike MacSween

If security were more important, you might consider creating an Excel
Add In.

 

[Chip Pearson]

If security were more important, you might consider creating an Excel
Add In.

A standard Excel add-in (XLA file) is no more secure that a
workbook. For real security, you need to use an XLL or a COM
add-in.


--
Cordially,
Chip Pearson
Microsoft MVP - Excel
Pearson Software Consulting, LLC
www.cpearson.com

"Mike MacSween" <[email protected]>

wrote in message

 

[arno]

Hello Chip,

A standard Excel add-in (XLA file) is no more secure that a
workbook.

Is it true that Excel 97 Add-ins even without VBA-Passwords are secure? Do
you know how securing the workbook/addin was done in Excel 97. I hate to say
that but I am too young to know

best regards

arno

 

[Dave Peterson]

I'm not Chip, but until he returns...

Excel Addins (*.xla's) are not secure at all--and without a password, even the
most mildly curious will be able to see/modify your code.

Addins with passwords are only slightly better. The passwords will stop the
honest--but not the determined. And there are password breakers all over the
internet. With enough money (about 50 USD, IIRC), anyone can see and modify
your code.

That's why Chip wrote: For real security, you need to use an XLL or a COM
add-in.

These are compiled (a lot like regular programs (*.exe's)) and I'm not sure
there is a human who can read those.

 

[Mike MacSween]

I'm not Chip, but until he returns...

Excel Addins (*.xla's) are not secure at all--and without a password, even the
most mildly curious will be able to see/modify your code.

Addins with passwords are only slightly better. The passwords will stop the
honest--but not the determined. And there are password breakers all over the
internet. With enough money (about 50 USD, IIRC), anyone can see and

modify

Not talking about this particular case, but I frequently hear the 'you can
buy a password cracker so the password is useless' statement. I bought one
yesterday and ran it against the file open password on an Excel file. I'd
used a deliberately obscure, completely non alphanumeric long password. It
went through the dictionary attack (and failed, obviously) in 5 seconds. It
then started on the brute force attack (well, a sort of refined brute
force). I turned it off after a few hours when it was still running
bXXXXXXX. As a matter of fact when I tried to set it up to so that it would
(eventually) get my password it complained that it would take too long, and
shortened the length of the passwords it would try, basically guaranteeing
it wouldn't ever get mine. It estimated 45,000 days!

I think it's a myth. Sure, if somebody uses their first name+last name as a
password, that's easy to crack. I've 'cracked' that often enough when I've
needed to log on as a user and I know their name. But I really don't think
that passwords are as useless as everybody says. If you know how to make a
very strong password then you can do a lot.

Mike

 

[Dave Peterson]

This is interesting, but I've seen code/algorithms that can unprotect a VBA
project in seconds--no matter what the the password is.

It was disappointing that it was that easy.

 

[arno]

Hi Mike,

you are not right. Esp. removing the VBA-password is very, very, easy. E. g.
Sheet protection passwords are cracked without knowing the password simply
by using binary numbers 0011010100, in the end one always fits.

This is why I asked how Excel **97** did the job.

arno

 

[Chip Pearson]

I think it's a myth

I use VBA Key from PassWare ($45), and it breaks VBA passwords in
a matter of a few seconds. For example, a 16 character mixed
alpha/numeric/special char password was broken in Excel 2003 in
about 3 seconds.

Of course, it doesn't recover the password that was actually used
to protect the project, only a password that will work to open
the project.

The principle still stands: password protection is useless
against users who really want to get to your code. If security is
critical, write a COM Add-In.


--
Cordially,
Chip Pearson
Microsoft MVP - Excel
Pearson Software Consulting, LLC
www.cpearson.com

 

[Mike MacSween]

Yup, I'm sure you're all right.

My point was that I tried EXACTLY what the supposed end user who wants to
get into our file is expected to do:

went on the web, searched for 'Excel, password, cracker' or something.
Bought one, and ran it against an Excel workbook with a long, strong _file_
password.

It didn't get in. I could see what it was doing. It wasn't going to get in,
not in my lifetime.

It's a complete Office password cracker, I'll run it against a few other
things and see what happens. This was the file password, which people say is
stronger than others.

The 'myth' I'm talking about is that these sorts of passwords are a waste of
time 'cause anybody can get past them.

Some people can, with enough incentive and dermination.

I took an enquiry the other day. Somebody wanted to know how much/long it
would take to build a computer system to manage a video rental shop. She
couldn't find any software that did that. Many users are a great deal less
savvy at finding stuff on the net than they are given credit for.

Mike

 

[Mike MacSween]

OK, just done a few tests, usually using !"£$%^&*()_+ or something like that
as a password.

Excel - worksheet & VBA passwords cracked in a blink. Or working substitutes
given.
Access - file password, VBA passwords and .mdw passwords cracked in no time.

The ones it didn't do, and it's possible from looking how it's working to
see if it will, were Excel file passwords and Word file passwords.

Anybody got any different results with their 'favourite' password cracker?

Mike

 

[JE McGimpsey]

I don't think that anyone would argue (or has been arguing) that file
passwords are a "waste of time". They only serve a limited purpose,
however, since the goal of distributing your code is so that it can be
used.

Once a user enters the password so that the file opens, all the jewels
are exposed for the taking, and it's almost trivial to save the workbook
without the password, for later use or redistribution.

 

[Mike MacSween]

I don't think that anyone would argue (or has been arguing) that file
passwords are a "waste of time". They only serve a limited purpose,
however, since the goal of distributing your code is so that it can be
used.

Once a user enters the password so that the file opens, all the jewels
are exposed for the taking, and it's almost trivial to save the workbook
without the password, for later use or redistribution.

Sure, just talking generally. It was interesting how this particular tool
either cracked passwords in a jiffy, or not atall. Well, to be more precise,
I could see how long it was taking, and knowing the password I had set could
see it was going to take too long.

Upshot seems to be that Word and Excel file open passwords are actually
quite strong. Yes?

As a method of preventing casual copying there would be benefit in this. I
imagine:

An install package that places the Excel file in an obscure folder, with
..dat as it's suffix.
A desktop shortcut that starts a vb .exe file, which opens the Excel
spreadsheet by passing in the correct password.

Sure, they're in now, copy and paste. Though even that can be prevented, I
think, within the same instance of Excel.

All the above isn't anything like 'security' but makes casual theft a little
harder.

Mike

 

[JE McGimpsey]

Sure, they're in now, copy and paste. Though even that can be prevented, I
think, within the same instance of Excel.

Nope.

 

[JE McGimpsey]

An install package that places the Excel file in an obscure folder,
with .dat as it's suffix. A desktop shortcut that starts a vb .exe
file, which opens the Excel spreadsheet by passing in the correct
password.

You can wrap it any way you want, but a vendor that *ever* had the
temerity to place my data in a location where I might inadvertently
delete it, would never get my business, or business from any of my
acquaintences again.

 

[Mike MacSween]

Nope.

Yes, you're right.

 

[Mike MacSween]

You can wrap it any way you want, but a vendor that *ever* had the
temerity to place my data in a location where I might inadvertently
delete it, would never get my business, or business from any of my
acquaintences again.

OK, I'll cross you off the mailing list!