 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
| HomeDiscussionsAccessExcelInfoPathOutlookPowerPointPublisherWordDirectoryUser Groups Related Topics Outlook ExpressInternet ExplorerWindowsMS Server ProductsMore Topics ... |
MS Office Forum / Excel / New Users / April 2008Workbook password security
I've been asked to oversee the implementation of a process where organisations would send us sensitive client data via password protected Excel workbooks (i.e. the workbook would have the password on it, not the sheets contained therein. This worries me because it was always my understanding that Excel was never intended to function as a secure data repository and should not be used that way. Having said that, my recent reading leads me to believe that it is the WORKSHEET passwords that are easily worked around, not the WORKBOOK passwords. From what I can gather, the only thing that can get around the workbook passwords are dictionary and brute force attacks (there appears to be no back door around the passwords). If this is the case then would it be reasonable to assume that a highly randomised 12-character (for instance) password containing upper and lowercase, numeric and special characters, would be an adequate foil against both dictionary and brute force attacks? Also, when a password is applied to a workbook, what encryption algorithm is used (eg AES 256 bit)? A clarification: When I say WORKBOOK password, I mean the one accessed via File > Save As > Tools > General Options as opposed to the one under Tools > Protection > Protect Workbook... (which looks to be something entirely different). The other thing I forgot to mention is that the idea is that these organisations could be sending me workbooks created in any version of Excel from 2000 onward. Regards GPO > I've been asked to oversee the implementation of a process where > organisations would send us sensitive client data via password protected [quoted text clipped - 14 lines] > Also, when a password is applied to a workbook, what encryption algorithm is > used (eg AES 256 bit)? Workbook passwords can be cracked easily by software costing very little. Type 'Excel Password' into Google and you'll find dozens of them. No matter what password you enter, Excel converts it to one of (I think) 16,000 codes, I may have the figure wrong, but I know its not many. Not enough to make a brute force attack take too long anyway. I'm not sure if this has been improved in 2007. Alan. Regards, Alan. >A clarification: When I say WORKBOOK password, I mean the one accessed via > File > Save As > Tools > General Options [quoted text clipped - 37 lines] >> is >> used (eg AES 256 bit)? Sorry to be pedantic, but I thought the "easy-to-crack" passwords were the ones set under Tools > Protection, not the ones under File > Save As > Tools > General Options Are you confirming that the latter are also easy to crack? One last question. Has Microsoft published any papers on the limitations of their Excel passwords? It's one thing for me to cite newsgroup corro as evidence, but it becomes an entirely more substantial argument if I can quote Microsoft themselves. Thanks again GPO > Workbook passwords can be cracked easily by software costing very little. > Type 'Excel Password' into Google and you'll find dozens of them. [quoted text clipped - 47 lines] > >> is > >> used (eg AES 256 bit)? Yes I am, there's VB code freely available on these newsgroups which will crack a worksheet password in five minutes. What I was referring to was the workbook protection, the one you defined as Tools > Protection > Protect Workbook. I've never seen any documentation from Microsoft, hopefully someone else has and will reply, Alan. > Sorry to be pedantic, but I thought the "easy-to-crack" passwords were the > ones set under Tools > Protection, not the ones under File > Save As > [quoted text clipped - 76 lines] >> >> is >> >> used (eg AES 256 bit)? Have a look here, http://www.j-walk.com/ss/excel/faqs/protectionFAQ.htm http://reviews.cnet.com/4520-3513_7-5662635-1.html http://www.dotxls.com/excel-security/23/ http://office.microsoft.com/en-us/excel/HP052388541033.aspx In the Microsoft document it describes all the functions, but there's a disclaimer saying it can't protect against those who have malicious intent! Alan. > Sorry to be pedantic, but I thought the "easy-to-crack" passwords were the > ones set under Tools > Protection, not the ones under File > Save As > [quoted text clipped - 76 lines] >> >> is >> >> used (eg AES 256 bit)? You are a good chap Alan! Thanks for going to all this effort. > Have a look here, > [quoted text clipped - 87 lines] > >> >> is > >> >> used (eg AES 256 bit)? Have a look at John McGimpsey's site for some thoughts on cracking file-open passwords. http://www.mcgimpsey.com/excel/fileandvbapwords.html Nothing there from Microsoft you can quote, however. Gord Dibben MS Excel MVP >Sorry to be pedantic, but I thought the "easy-to-crack" passwords were the >ones set under Tools > Protection, not the ones under File > Save As > Tools [quoted text clipped - 62 lines] >> >> is >> >> used (eg AES 256 bit)? If you want secure files, look into some professional encryption software and use that to deal with your Excel files. Of course, the organisations would also have to have the software. I would not depend on Excel to do the job. Tyro > I've been asked to oversee the implementation of a process where > organisations would send us sensitive client data via password protected [quoted text clipped - 20 lines] > is > used (eg AES 256 bit)? |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.