Password protection

[PaulB]

I'm not a user of MS Office. A friend brought up a question this morning that no one present could answer. He wondered if an Office document that was password protected simply denied access in the absence of the password, or if the document was also encrypted so as to be unreadable through other means. If it is encrypted, how strong is the encryption?

[stuck]

As far as I know Office uses only simple password protection, there is no encryption. Certainly it is trivial to bypass the password on an Excel file. House rules don't allow me to explain how nor do I advocate you doing it unless you are confident you are not doing anything illegal by so doing. If you are still curious I'm sure you know how to use Google.

Ken

[StuartR]

This depends on the office version you use. Here is a short excerpt from Microsoft 2007 Office system Document Encryption Improvements

Password protection is not a new concept in the Microsoft 2007 Office system, but it has been made stronger and easier to use. Previous versions of Microsoft Office used an RC4 stream cipher with a key length of up to 128 bits. The problem with this approach was that when changes are made to the encrypted document and the document is saved, the initialization vector (IV) remains unchanged and the same keystream is used to encrypt subsequent versions of the encrypted document. This weakness in the implementation of the RC4 encryption algorithm made it possible for hackers compare two versions of a password-protected file to discover the contents and allow unauthorized users to read its contents. A number of software companies took advantage of these limitations to make “password recovery utilities” that could decrypt RC4-protected documents. Obviously, it was time to move to a now a new means of encrypting documents.

Microsoft 2007 Office system document encryption is a significant improvement. The encryption information block is the same as in previous versions of Office, but the Microsoft 2007 Office system uses the Advanced Encryption Standard (AES) encryption, which is the strongest industry-standard algorithm available and was selected by the National Security Agency (NSA) to be used as the standard for the U.S. Government, AES has a default 128-bit key (which can be increased to 256-bit via the Windows Registry) and uses SHA-1 hashing. In addition, The Microsoft 2007 Office system improves the algorithm of converting passwords into keys: 50,000 SHA-1 sequential iterations are performed.

[HansV]

Stuck is correct that encryption of Word documents, Excel workbooks etc. was easily bypassed in earlier versions of Office. Recent versions, however, offer strong encryption that is much harder to break.

[PaulB]

Not looking to steal any state secrets here! My friend said that he stored account names and passwords in a password protected Excel file. That provoked a discussion of whether or not this was 'good enough' security for storing this information. From the responses above I take it that it is, provided he uses Office 2007 or later.

Thank you all.

[HansV]

Yes, an encrypted Excel 2007/2010 (.xlsx, .xlsm or .xlsb) workbook with a sufficiently long password that cannot easily be guessed should be safe enough.

[Argus]

It started to get better in Office 2003 (and XP), even if the default encryption method, for compatibility reasons, was the 97/2000 technique; one had (and have) to select "Advanced". So one could add that with a good, strong, encryption type and a "strong" password, 2002 and 2003 are much better than earlier versions, and running with default settings.

2007 and onwards uses a strong encryption by default, as mentioned.

(Excel 7 (a.k.a. 95) etc. was and is very simple.)

[stuck]

My friend said that he stored account names and passwords in a password protected Excel file.

Ah! In that case there are more appropriate alternatives. I use Password Safe simple, effective and the price is right but there are lots of similar applications out there.

Ken