Excel Security

[Kevin]

I learnt that if anyone forgets the password of an Excel
file (same to Word or Access files), he can easily get it
back by using a tool. Does it mean the Excel file
security feature is not trustworthy ? Any suggestion for
a real file access protection ?

Thanks and regards,
Kevin

 

[Lady Layla]

Dont keep a copy of the file accessable by anyone but yourself.




: I learnt that if anyone forgets the password of an Excel
: file (same to Word or Access files), he can easily get it
: back by using a tool. Does it mean the Excel file
: security feature is not trustworthy ? Any suggestion for
: a real file access protection ?
:
: Thanks and regards,
: Kevin

 

[Frank Kabel]

Hi Kevin
this is correct. Excel's password protection is quite weak (do a Google
search for 'Excel password remover'). You can't protect Excel files for
real determined users

One way would be in a Network Environment to apply the security on OS
level (access rights to the file/directory)

 

[JE McGimpsey]

I wouldn't say that file protection is "untrustworthy" - it does what it
purports to do, provide reasonably strong protection against opening the
file without the proper password.

However, that doesn't mean it's necessarily "secure". All security is
relative - a bank vault is both trustworthy and reasonably secure, but
you can get into a vault given access, tools and enough time.

Similarly, with file protection, there are tools to crack passwords.
Given a reasonably fast computer and enough time, the cracking
application can find your password - XL can't tell whether you entered
the password or a cracker did.

If you use a dictionary word as your password, it may take seconds to
hours to find the right one. If you use a non-sensical string of
alphanumeric and punctuation characters, it can take from minutes to
years, depending on how long the password is.

If you're trying to keep proprietary information out of the hands of
your competitors, the breakpoint currently is around 8-9 random
characters - less than that may be worth it to them to try to crack,
more than that won't generally be cost-effective.

If you're the target of a government probe for arms-dealing, you may
want to add a few characters.

Note, however, that password protection does not encrypt your file.
Using a hex editor, it is still perfectly simple to read any text you've
entered in your sheets, along with making some good guesses about your
formulae. VBA can similarly be reconstructed. It's all a matter of how
badly someone wants your information.

For "real file access protection", encrypting the file with PGP, using a
2048-bit password, is probably adequate for at least the next 10 years.
Be sure you do a secure erase of the free area of your hard drive,
though. I've recovered more than one file from a temp file, or the
original copy that was put in the trash, even if the trash was
subsequently emptied.

 

[Jim Rech]

Excel's password protection is quite weak

News to me, Frank. If I send you a password protected file how long will it
take you to break it? How about a day? For $100? You're on!<g>

--
Jim Rech
Excel MVP
| Hi Kevin
| this is correct. Excel's password protection is quite weak (do a Google
| search for 'Excel password remover'). You can't protect Excel files for
| real determined users
|
| One way would be in a Network Environment to apply the security on OS
| level (access rights to the file/directory)
|
|
| --
| Regards
| Frank Kabel
| Frankfurt, Germany
|
|
| Kevin wrote:
| > I learnt that if anyone forgets the password of an Excel
| > file (same to Word or Access files), he can easily get it
| > back by using a tool. Does it mean the Excel file
| > security feature is not trustworthy ? Any suggestion for
| > a real file access protection ?
| >
| > Thanks and regards,
| > Kevin
|

 

[Frank Kabel]

Hi Jim
depends on the length of your password and the program I'll buy to
crack it

 

[Jim Rech]

I may have obscured my point by being too cute. Excel's file (save as)
encryption is "state-of-the-art". The weakness in it, as with any password
system, is with the user. If he picks "dog" then it will fail in short
order against a dictionary attack. But with an unguessable/undictionaryable
password like "@eT6z:Fhq~" then this should stand up for millennia even
against a super-computer.

So I think your statement "Excel's password protection is quite weak" is not
really correct.

This is not to be confused with the Tools, Protection password system, which
does not involve encryption and which is very weak.

--
Jim Rech
Excel MVP

| Hi Jim
| depends on the length of your password and the program I'll buy to
| crack it
|
| --
| Regards
| Frank Kabel
| Frankfurt, Germany
|
|
| Jim Rech wrote:
| >>> Excel's password protection is quite weak
| >
| > News to me, Frank. If I send you a password protected file how long
| > will it take you to break it? How about a day? For $100? You're
| > on!<g>
| >
| >> Hi Kevin
| >> this is correct. Excel's password protection is quite weak (do a
| >> Google search for 'Excel password remover'). You can't protect Excel
| >> files for real determined users
| >>
| >> One way would be in a Network Environment to apply the security on
| OS
| >> level (access rights to the file/directory)
| >>
| >>
| >> --
| >> Regards
| >> Frank Kabel
| >> Frankfurt, Germany
| >>
| >>
| >> Kevin wrote:
| >>> I learnt that if anyone forgets the password of an Excel
| >>> file (same to Word or Access files), he can easily get it
| >>> back by using a tool. Does it mean the Excel file
| >>> security feature is not trustworthy ? Any suggestion for
| >>> a real file access protection ?
| >>>
| >>> Thanks and regards,
| >>> Kevin
|

 

[Frank Kabel]

Hi Jim
though I agree with you that this PWD protection is as good as others
it does not encrypt the file contents (at leat to my knowledge) so a
hex editor should be quite helpful.
Though I agree my statement wasn't that correct

 

[Jim Rech]

it does not encrypt the file contents


It most certainly does, Frank. Not _all_ of the file (the OLE container
headings are still readable and I do not believe the VB project is encrypted
either) but the workbook/worksheet streams within the container are.

Try this at your leisure. Take a good sized workbook (with no VB project)
and save a version using file locking - use one of the RC4 methods. Then
zip up each of the two files. You should find that the original shrunk many
times more than the encrypted one. This is because there are few "patterns"
that the archiver can use to compact the file.


Jim Rech
Excel MVP

 

[Harlan Grove]

I may have obscured my point by being too cute. Excel's file (save as)
encryption is "state-of-the-art". The weakness in it, as with any password
system, is with the user. If he picks "dog" then it will fail in short
order against a dictionary attack. But with an unguessable/undictionaryable
password like "@eT6z:Fhq~" then this should stand up for millennia even
against a super-computer.

...

Gee, I guess that puts the NSA out of business. And, if true, it begs the
question why there's continuing research into quantum and genetic encryption
algorithms.

 

[Jim Rech]

I shouldn't have said super-computer. I meant fast desktop PC.

--
Jim Rech
Excel MVP
| "Jim Rech" wrote...
| >I may have obscured my point by being too cute. Excel's file (save as)
| >encryption is "state-of-the-art". The weakness in it, as with any
password
| >system, is with the user. If he picks "dog" then it will fail in short
| >order against a dictionary attack. But with an
unguessable/undictionaryable
| >password like "@eT6z:Fhq~" then this should stand up for millennia even
| >against a super-computer.
| ..
|
| Gee, I guess that puts the NSA out of business. And, if true, it begs the
| question why there's continuing research into quantum and genetic
encryption
| algorithms.
|
| --
| To top-post is human, to bottom-post and snip is sublime.

 

[JE McGimpsey]

I was mistaken - it's still perfectly possible to reconstruct your VBA
code, but the worksheets themselves are encrypted.

I don't know whether the encryption algorithm for the worksheets is the
same as for the password, so I don't know how strong it is.

 

[JE McGimpsey]

Well, DOD classifies the Mac G5 as a supercomputer...

and the third fastest supercomputer in the US was built with massively
parallel G5's.

 

[Harlan Grove]

Well, DOD classifies the Mac G5 as a supercomputer...

and the third fastest supercomputer in the US was built with massively
parallel G5's.

...

And some of the other fast systems are based on clusters of (Gasp!) what would
be mid-level PCs if they weren't also massively parallel. However, I don't think
many readers of this ng will rush to set up several hundred CPU clusters just to
decrypt Excel files.

 

[Jim Rech]

The bottom line being that if you use a good password with one of the newer
encryption algorithms available in Excel you are likely safe against Joe
Smoe buying an XLS password breaker, running it on his home/office PC and
getting into your file any time soon.

--
Jim Rech
Excel MVP
| "JE McGimpsey" wrote...
| >Well, DOD classifies the Mac G5 as a supercomputer...
| >
| >and the third fastest supercomputer in the US was built with massively
| >parallel G5's.
| ..
|
| And some of the other fast systems are based on clusters of (Gasp!) what
would
| be mid-level PCs if they weren't also massively parallel. However, I don't
think
| many readers of this ng will rush to set up several hundred CPU clusters
just to
| decrypt Excel files.
|
| --
| To top-post is human, to bottom-post and snip is sublime.

 

[Harlan Grove]

The bottom line being that if you use a good password with one of
the newer encryption algorithms available in Excel you are likely
safe against Joe Smoe buying an XLS password breaker, running it
on his home/office PC and getting into your file any time soon.

....

Agreed. On the other hand, it'd likely take a government agency a bit less
than a millenium to crack it. Security adequate against other individuals,
but it won't keep the black helicopters at bay.