Microsoft Word and Excel password protection
   HOME

TheInfoList



Click Here for Items Related To - Microsoft Word and Excel password protection
OR:
Microsoft Word and Excel password protection on:   [Wikipedia]   [Google]   [Amazon]

Microsoft Office password protection is a security feature to protect
Microsoft Office Microsoft Office, or simply Office, is the former name of a family of client software, server software, and services developed by Microsoft. It was first announced by Bill Gates on August 1, 1988, at COMDEX in Las Vegas. Initially a marketin ...
documents (Word, Excel, PowerPoint) with a user-provided password.


Types

There are two groups of passwords that can be set to a document: * A password to
encrypt In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can deci ...
a document restricts opening and viewing it. This is possible in all Microsoft Office applications. Since Office 2007 they are hard to break, if a sufficient complex password was chosen. If the password can be determined through social engineering, the underlying cipher is not important. * Passwords that do not encrypt, but restrict modification. They can be circumvented easily. ** In
Word A word is a basic element of language that carries an objective or practical meaning, can be used on its own, and is uninterruptible. Despite the fact that language speakers often have an intuitive grasp of what a word is, there is no conse ...
and
PowerPoint Microsoft PowerPoint is a presentation program, created by Robert Gaskins and Dennis Austin at a software company named Forethought, Inc. It was released on April 20, 1987, initially for Macintosh computers only. Microsoft acquired Powe ...
the password restricts modification of the entire document. ** In
Excel ExCeL London (an abbreviation for Exhibition Centre London) is an exhibition centre, international convention centre and former hospital in the Custom House area of Newham, East London. It is situated on a site on the northern quay of the ...
passwords restrict modification of the workbook, a worksheet within it, or individual elements in the worksheet.


History of Office Encryption


Weak encryptions

In Excel and Word 95 and prior editions a weak protection algorithm is used that converts a password to a 16-bit verifier and a 16-byte XOR obfuscation array (page 60/119) key. Hacking software is now readily available to find a 16-byte key and decrypt the password-protected document. Because it's only like a Vigenere Cipher. They can be cracked instantly with the help of precomputation tables. Office 97, 2000, XP and 2003 use
RC4 In cryptography, RC4 (Rivest Cipher 4, also known as ARC4 or ARCFOUR, meaning Alleged RC4, see below) is a stream cipher. While it is remarkable for its simplicity and speed in software, multiple vulnerabilities have been discovered in RC4, ren ...
with 40 bits. The Office-algorithm contains multiple vulnerabilities rendering it insecure. Also RC4 is now considered to be weak. The protection presents no difficulties to hacking software. In Office XP and 2003 an opportunity to use a custom protection algorithm was added. Choosing a non-standard Cryptographic Service Provider allows increasing the key length. Weak passwords can still be recovered quickly even if a custom CSP is on.


AES since Office 2007

In Office 2007 (Word, Excel and PowerPoint), protection was significantly enhanced since a modern protection algorithm named
Advanced Encryption Standard The Advanced Encryption Standard (AES), also known by its original name Rijndael (), is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001. AES is a variant ...
was used. At present there is no software that can break this encryption. With the help of the
SHA-1 In cryptography, SHA-1 (Secure Hash Algorithm 1) is a cryptographically broken but still widely used hash function which takes an input and produces a 160- bit (20- byte) hash value known as a message digest – typically rendered as 40 hexa ...
hash function, the password is stretched into a 128-bit key 50,000 times before opening the document; as a result, the time required to crack it is vastly increased, similar to PBKDF2,
scrypt In cryptography, scrypt (pronounced "ess crypt") is a password-based key derivation function created by Colin Percival in March 2009, originally for the Tarsnap online backup service. The algorithm was specifically designed to make it costly ...
or other KDFs. Excel and Word 2010 employed AES and a 128-bit key, but the number of
SHA-1 In cryptography, SHA-1 (Secure Hash Algorithm 1) is a cryptographically broken but still widely used hash function which takes an input and produces a 160- bit (20- byte) hash value known as a message digest – typically rendered as 40 hexa ...
conversions doubled to 100,000. Office 2013 (Access, Excel, OneNote, PowerPoint, Project, and Word) uses 128-bit AES, again with hash algorithm SHA-1 by default. Office 2013 introduces SHA-512 hashes in the encryption algorithm, making brute-force and
rainbow table A rainbow table is an efficient way to store data that has been computed in advance to facilitate cracking passwords. To protect stored passwords from compromise in case of a data breach, organizations avoid storing them directly, instead transfo ...
attacks slower. Office 2016 (Access, Excel, OneNote, PowerPoint, Project, and Word) uses 256-bit AES, the SHA-1 hash algorithm, and CBC (
Cipher Block Chaining In cryptography, a block cipher mode of operation is an algorithm that uses a block cipher to provide information security such as confidentiality or authenticity. A block cipher by itself is only suitable for the secure cryptographic transform ...
) by default. Attacks that target the password include
dictionary attack In cryptanalysis and computer security, a dictionary attack is an attack using a restricted subset of a keyspace to defeat a cipher or authentication mechanism by trying to determine its decryption key or passphrase, sometimes trying thousands o ...
, rule-based attack,
brute-force attack In cryptography, a brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correc ...
, mask attack and statistics-based attack. Attacks can be speed up through multiple CPUs, also in the
cloud In meteorology, a cloud is an aerosol consisting of a visible mass of miniature liquid droplets, frozen crystals, or other particles suspended in the atmosphere of a planetary body or similar space. Water or various other chemicals may ...
, and
GPGPU General-purpose computing on graphics processing units (GPGPU, or less often GPGP) is the use of a graphics processing unit (GPU), which typically handles computation only for computer graphics, to perform computation in applications traditiona ...
(applicable only to Microsoft Office 2007–2010 documents).


Excel worksheets and macro protection

The protection for worksheets and macros is necessarily weaker than that for the entire workbook as the software itself must be able to display or use them. For xlsx files that can be opened but not edited, there is another attack, as the file format is a group of XML files within a zip, unzipping editing and replacing the workbook.xml file, and/or the individual worksheet XML files with identical copies, except that the unknown key and salt are replaced with a known pair, or removing the key altogether allows the sheets to be edited.


References

{{Microsoft Office Microsoft Office Cryptographic attacks Password authentication