Workbook password security

[GPO]

I've been asked to oversee the implementation of a process where
organisations would send us sensitive client data via password protected
Excel workbooks (i.e. the workbook would have the password on it, not the
sheets contained therein.

This worries me because it was always my understanding that Excel was never
intended to function as a secure data repository and should not be used that
way. Having said that, my recent reading leads me to believe that it is the
WORKSHEET passwords that are easily worked around, not the WORKBOOK
passwords. From what I can gather, the only thing that can get around the
workbook passwords are dictionary and brute force attacks (there appears to
be no back door around the passwords). If this is the case then would it be
reasonable to assume that a highly randomised 12-character (for instance)
password containing upper and lowercase, numeric and special characters,
would be an adequate foil against both dictionary and brute force attacks?

Also, when a password is applied to a workbook, what encryption algorithm is
used (eg AES 256 bit)?

 

[GPO]

A clarification: When I say WORKBOOK password, I mean the one accessed via
File > Save As > Tools > General Options

as opposed to the one under Tools > Protection > Protect Workbook... (which
looks to be something entirely different).

The other thing I forgot to mention is that the idea is that these
organisations could be sending me workbooks created in any version of Excel
from 2000 onward.

Regards

GPO

 

[Alan]

Workbook passwords can be cracked easily by software costing very little.
Type 'Excel Password' into Google and you'll find dozens of them.
No matter what password you enter, Excel converts it to one of (I think)
16,000 codes, I may have the figure wrong, but I know its not many. Not
enough to make a brute force attack take too long anyway.
I'm not sure if this has been improved in 2007.
Alan.

Regards,
Alan.

 

[Tyro]

If you want secure files, look into some professional encryption software
and use that to deal with your Excel files. Of course, the organisations
would also have to have the software. I would not depend on Excel to do the
job.

Tyro

 

[GPO]

Sorry to be pedantic, but I thought the "easy-to-crack" passwords were the
ones set under Tools > Protection, not the ones under File > Save As > Tools

General Options

Are you confirming that the latter are also easy to crack?

One last question. Has Microsoft published any papers on the limitations of
their Excel passwords? It's one thing for me to cite newsgroup corro as
evidence, but it becomes an entirely more substantial argument if I can quote
Microsoft themselves.

Thanks again

GPO

 

[Alan]

Yes I am, there's VB code freely available on these newsgroups which will
crack a worksheet password in five minutes. What I was referring to was the
workbook protection, the one you defined as Tools > Protection > Protect
Workbook.

I've never seen any documentation from Microsoft, hopefully someone else has
and will reply,
Alan.

 

[Alan]

Have a look here,

http://www.j-walk.com/ss/excel/faqs/protectionFAQ.htm
http://reviews.cnet.com/4520-3513_7-5662635-1.html
http://www.dotxls.com/excel-security/23/
http://office.microsoft.com/en-us/excel/HP052388541033.aspx

In the Microsoft document it describes all the functions, but there's a
disclaimer saying it can't protect against those who have malicious intent!

Alan.

 

[Gord Dibben]

Have a look at John McGimpsey's site for some thoughts on cracking file-open
passwords.

http://www.mcgimpsey.com/excel/fileandvbapwords.html

Nothing there from Microsoft you can quote, however.


Gord Dibben MS Excel MVP

 

[GPO]

You are a good chap Alan! Thanks for going to all this effort.