password protection

[Suzanne S. Barnhill]

Which version of Word? Recent versions use the password to encrypt the
document, and they are *very* secure.

--
Suzanne S. Barnhill
Microsoft MVP (Word)
Words into Type
Fairhope, Alabama USA

Email cannot be acknowledged; please post all follow-ups to the newsgroup so
all may benefit.

 

[r_mervart]

How safe is a passport protected Word document from unauthorised opening?

Thanks
roman

 

[r_mervart]

Which version of Word? Recent versions use the password to encrypt the
document, and they are *very* secure.

--
Suzanne S. Barnhill
Microsoft MVP (Word)
Words into Type
Fairhope, Alabama USA

Email cannot be acknowledged; please post all follow-ups to the newsgroup so
all may benefit.

opening?

It is Word 2000 (9.0.3821 SR-1) , a part of Microsoft Office 2000

Roman

 

[Suzanne S. Barnhill]

Should be adequately secure.

--
Suzanne S. Barnhill
Microsoft MVP (Word)
Words into Type
Fairhope, Alabama USA

Email cannot be acknowledged; please post all follow-ups to the newsgroup so
all may benefit.

 

[Graham Mayor]

An 8 digit password with random characters and case will keep the best of
the password crackers occupied for more time than anyone but a government
agency would think worth the effort.

--
<>>< ><<> ><<> <>>< ><<> <>>< <>><<>
Graham Mayor - Word MVP

My web site www.gmayor.com

<>>< ><<> ><<> <>>< ><<> <>>< <>><<>

 

[r_mervart]

Should be adequately secure.

An 8 digit password with random characters and case will keep the best of
the password crackers occupied for more time than anyone but a government
agency would think worth the effort.

So how secure would be such Word document sent to a personal website or just
to an
e-mail address (my own) and left in a "hold" folder which I could create.
This would enable
be an access from anywhere to my personal data at effectively no cost

Roman

 

[Suzanne S. Barnhill]

See Graham's reply.

--
Suzanne S. Barnhill
Microsoft MVP (Word)
Words into Type
Fairhope, Alabama USA

Email cannot be acknowledged; please post all follow-ups to the newsgroup so
all may benefit.

 

[Graham Mayor]

It doesn't matter where you save it, the security applied is the same.

--
<>>< ><<> ><<> <>>< ><<> <>>< <>><<>
Graham Mayor - Word MVP

My web site www.gmayor.com

<>>< ><<> ><<> <>>< ><<> <>>< <>><<>

 

[Avalon]

Hi Guys

Sorry to contradict you Word Gods but cracking passworded
documents is a piece of cake even if the document was
passworded in Word 2003.

This is due to a lovely bug that was around back in the
Word 2000 days and a 3rd party piece of software.

All you have to do, to gain access to a form passworded
document is:

1. Open a blank document
2. Goto Insert\File
3. Select the pasworded file
4. Click Insert button

Result: The contents and formatting of the passworded
file are inserted into the new document and the password
has been removed.

The Microsoft knowledge base acknowledges this to be a
problem LMAO and that's all


The 3rd party piece of software out there that cracked all
MS passwords including the VBA ones is called

"Advanced Office Password Remover".

The reason i know all the above is, i work for a technical
authoring company that writes military documents and
security is very important to us. We finally came to the
conclusion that the only way to secure a word document is
to PDF it.

That said the company that produces the office password
remover also produces a PDF password remover (grrrrrrrrr).

If you guys find a solution to the above cracks please
post a reply, as they are a real problem for my industry.

regards

Avalon

 

[Graham Mayor]

The form issue is well known. It doesn't allow you to crack the original
document, but it allows you to create an unprotected copy. This is well
documented.

The encryption on Word documents protected against opening is *much* more
secure. There are lots of tools available to crack the passwords - there is
one I have tested linked from my web site - but they all have the same
problem. If the password is complex then they resort to brute force methods
to crack, and this can take a long time.

The demos of these apps. are all limited to a password of 4 characters which
they crack in an impressively short time. Make that password 8 or more
characters and use random characters and symbols with random case changes
and the time scale is dramatically extended. Only the really determined are
likely to persevere.


--
<>>< ><<> ><<> <>>< ><<> <>>< <>><<>
Graham Mayor - Word MVP

My web site www.gmayor.com

<>>< ><<> ><<> <>>< ><<> <>>< <>><<>

 

[Chad DeMeyer]

A little more detail on making a password harder to crack:

Four types of characters can be used in constructing a password:
a.. Upper case alphabetic (A-Z)
b.. Lower case alphabetic (a-z)
c.. Numeric (0-9)
d.. Special (e.g., /?#$@*, etc.)
Use at least three of these types.
Don't use common words.
Use passwords of at least 8 characters.

Regards,
Chad

 

[r_mervart]

The form issue is well known. It doesn't allow you to crack the original
document, but it allows you to create an unprotected copy. This is well
documented.

Does not creation of an unprotected copy have in the end the same result as
cracking the original document. Unprotected presumably means that you
can open and read the contents of the copy?.

Roman

 

[Suzanne S. Barnhill]

But no one ever argued that forms protection provides any kind of security.
The security comes with "password to open," in which the password is used as
a key to encrypt the entire document.

--
Suzanne S. Barnhill
Microsoft MVP (Word)
Words into Type
Fairhope, Alabama USA

Email cannot be acknowledged; please post all follow-ups to the newsgroup so
all may benefit.

 

[Graham Mayor]

The whole point of a form is that you can open, read it and complete it. The
protection is to deter casual users from altering the layout of the form. If
you put a password to prevent opening of the form then you would have a hard
(but ultimately not impossible) time getting into it.

--
<>>< ><<> ><<> <>>< ><<> <>>< <>><<>
Graham Mayor - Word MVP

My web site www.gmayor.com

<>>< ><<> ><<> <>>< ><<> <>>< <>><<>

 

[r_mervart]

The whole point of a form is that you can open, read it and complete it. The
protection is to deter casual users from altering the layout of the form. If
you put a password to prevent opening of the form then you would have a hard
(but ultimately not impossible) time getting into it.

Just to make sure that I got it right.
1. If I protect a Word document by a password then it is fully protected
from being opened, read and altered and from being in some way made into an
unprotected copy as long as the password is not cracked.
2. More complex password -> better protection
3. Password protection remains with the document regardless where it is
stored, e.g. website, e-mail server

Roman

 

[Graham Mayor]

1. Yes - if you can't *open* the document, you can't do anything with it.
2. Yes
3. Yes

--
<>>< ><<> ><<> <>>< ><<> <>>< <>><<>
Graham Mayor - Word MVP

My web site www.gmayor.com

<>>< ><<> ><<> <>>< ><<> <>>< <>><<>

 

[Suzanne S. Barnhill]

To clarify (from Word's Help):

About using passwords

Passwords have a number of uses; for example, you can:

* Require a password to open a file to prevent unauthorized users from
opening a document at all.

* Require a password to modify a file to allow others to open the
document but only allow authorized users to make changes to it. If someone
changes the document without the password to modify, that person can save
the document only by giving it a different file name.

Note Requiring a password to modify a file does not encrypt the contents
of the file.

When you create a "password to open" document, write the password down and
keep it in a secure place. If you lose the password, you cannot open or gain
access to the password-protected file.

Passwords are case-sensitive, so if you vary the capitalization when you
assign the password, users must type the same capitalization when they enter
the password.

A password can contain any combination of letters, numerals, spaces, and
symbols, and it can be up to 15 characters long. If you select advanced
encryption options, you can make a password even longer.

Use strong passwords that combine upper- and lowercase letters, numbers, and
symbols. Weak passwords don't mix these elements. Strong password: Y6dh!et5.
Weak password: House27. Use a strong password that you can remember so that
you don't have to write it down.

--
Suzanne S. Barnhill
Microsoft MVP (Word)
Words into Type
Fairhope, Alabama USA

Email cannot be acknowledged; please post all follow-ups to the newsgroup so
all may benefit.

 

[Graham Mayor]

If you are going to scramble the document as well as encrypt it, then is
there any point in saving the document at all?
If the thing is so secret, don't put it anywhere the public have access.
As for top v bottom posting, there are advocates of both here. As long as
your message is clear and readable I don't think any of us really care which
way round you do it. personally I prefer not to have to wade through a load
of stuff to get to the meat of the message.

--
<>>< ><<> ><<> <>>< ><<> <>>< <>><<>
Graham Mayor - Word MVP

My web site www.gmayor.com

<>>< ><<> ><<> <>>< ><<> <>>< <>><<>

 

[r_mervart]

OK, seems clear now. I suppose it would be even better, in addition to
relying on the password that the document will not be opened, to
additionally scramble in some way or at least disguise the contents before
closing it. In that way, even if someone managed to somehow crack the
password, there would be a second layer of protection.

By the way, do you top post in this group? Elsewhere I was usually told off
for doing that and also told to get rid of the OE (which I did not do)

Roman

 

[r_mervart]

What I have in mind is data such as bank account details including PIN
numbers and passwords - and I have number of various accounts, credit cards
etc. There is no way I could remember it all. At the moment all is held on
paper which is not really very safe and because it is on paper it has become
rather messy. Should we be burglared and this paper document was found I
would be in a deep trouble. So I am looking for a good electronically
editable alternative to my Filofax. If it was held only locally on my
computer (backed up, of course) it does not allow me to get to some
information that I might need while abroad.

Roman