 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
| HomeDiscussionsAccessExcelInfoPathOutlookPowerPointPublisherWordDirectoryUser Groups Related Topics Outlook ExpressInternet ExplorerWindowsMS Server ProductsMore Topics ... |
MS Office Forum / Word / Programming / April 2007Word doc Security?
I wanted to get the groups expert advice on how secure MS Word document security really is? For example, I have an open password, modify password and the document is password protected with the restriction of filling in forms and my VBA code is passwod protected. In my specific case I am using Word 2003, but soon testing and converting my app to Word 2007. I have heard of many free or cheap programs to crack MS word password protection but have no real experience of this. 1.) Does one encryption type versus another on the open password really matter? If so, what is the most secure? 2.) Is there added security benefits in Word 2007 for the open, modify and protected document password? 3.) What would your advice be for securing a protected form template in the most secure method to keep unauthorized users from using or modifying the app? Thanks. The password cracking applications you may find on the web are all very well if you use the four digit passwords that they allow for trial versions, but if you use a seriously strong password, and the highest level of encryption, the security will deter all but the most determined. *Any* password can be cracked if you have the time and processing power, merely by checking every possible combination. Some of the tools available will do that.  Signature<>>< ><<> ><<> <>>< ><<> <>>< <>><<> Graham Mayor - Word MVP My web site www.gmayor.com Word MVP web site http://word.mvps.org <>>< ><<> ><<> <>>< ><<> <>>< <>><<> > I wanted to get the groups expert advice on how secure MS Word > document security really is? For example, I have an open password, [quoted text clipped - 16 lines] > > Thanks. > The password cracking applications you may find on the web are all very well > if you use the four digit passwords that they allow for trial versions, but [quoted text clipped - 33 lines] > > - Show quoted text - Graham, thanks for your input. I agree that the best option is to select and use as strong as passwords as possible. Do you know where I can get information on the maximum length of each password (open, modify, doc protection, vba)? It seems that if you use the longest and most complex password that it would be more secure that way. Do you know if the password lengths or encryption types were revised for Word 2007? >I wanted to get the groups expert advice on how secure MS Word > document security really is? For example, I have an open password, That one is reasonably secure, provided you choose a strong passord > modify password In practice, that is useless - it doesn't stop the user from copying and pasting to a new document and saving the results. Its only use is a protection against accidentally modifying the file. > and the document is password protected with the > restriction of filling in forms That is also largely useless. Use Insert, File to include the file in another file and the protection is gone. > and my VBA code is passwod protected. That is relatively easily crackable if you have the right tools, even if you use a strong password. > In my specific case I am using Word 2003, but soon testing and > converting my app to Word 2007. What I have described applies to Word 2003 and earlier. I don't know whether things are improved in Word 2007, but I rather doubt it. > I have heard of many free or cheap > programs to crack MS word password protection but have no real [quoted text clipped - 5 lines] > 2.) Is there added security benefits in Word 2007 for the open, modify > and protected document password? Not really. They exist primarily to make it harder to make accidental changes. They aren't a protection against malicious changes. > 3.) What would your advice be for securing a protected form template > in the most secure method to keep unauthorized users from using or > modifying the app? Move as much code as possible out of VBA and into an VB6 ActiveX DLL. Only leave little bits of code in the VBA project that are needed to make calls to the DLL. If it is for a specific corporation, get the agreement of IT and personnel to make it clear that malicious tampering with the template is a disciplinary offence. SignatureRegards Jonathan West - Word MVP www.intelligentdocuments.co.uk Please reply to the newsgroup Keep your VBA code safe, sign the ClassicVB petition www.classicvb.org Additional info: There's a very nice password checker at http://www.microsoft.com/athome/security/privacy/password_checker.mspx that will tell you how strong a password is. For the open password, it's important to click the Advanced button and choose a method that is NOT either "Weak encryption (XOR)" or the default "Office 97/2000 compatible" -- neither of those is in any sense secure. I'd suggest the "Enhanced DSS and Diffie-Hellman Cryptographic Provider" with a key length of at least 128 bits. SignatureRegards, Jay Freedman Microsoft Word MVP FAQ: http://word.mvps.org Email cannot be acknowledged; please post all follow-ups to the newsgroup so all may benefit. >> I wanted to get the groups expert advice on how secure MS Word >> document security really is? For example, I have an open password, [quoted text clipped - 48 lines] > personnel to make it clear that malicious tampering with the template > is a disciplinary offence. > Additional info: > [quoted text clipped - 68 lines] > > - Show quoted text - Thanks everyone for your assistance. I did want to know if anyone knows the maximum length of passwords for open, modify and document protect? I want to use the longest passwords possible in combonation with strong passwords to help deter any malicious minded people. I figure if they are going to break in at least I will make them work for it... I know that nothing is ever fully secure, but at least I want to do the most that I can within the context of what MS Word will allow. Thank you. > Thanks everyone for your assistance. I did want to know if anyone > knows the maximum length of passwords for open, modify and document [quoted text clipped - 4 lines] > want to do the most that I can within the context of what MS Word will > allow. I can't say if it's the same in all those cases (it's probably not), but you should be aware that the VBA password is simply stored as an XX-char hash of the original. The allows a brute-force algorithm that can crack 'em in seconds. Fwiw... Signature.NET: It's About Trust! http://vfred.mvps.org > Thanks everyone for your assistance. I did want to know if anyone > knows the maximum length of passwords for open, modify and document [quoted text clipped - 4 lines] > want to do the most that I can within the context of what MS Word will > allow. In Word 2000, the forms protection, file open and file modify passwords all have a practical maximum length of 15 characters - anything more is ignored. The VBA project password has a maximum of 32 characters - again, anything longer is ignored. I don't have a copy of Word 2003 to hand to try, but I'm 90% sure it is the same there. SignatureRegards Jonathan West - Word MVP www.intelligentdocuments.co.uk Please reply to the newsgroup Keep your VBA code safe, sign the ClassicVB petition www.classicvb.org > The VBA project password has a maximum of 32 characters - again, anything > longer is ignored. And, even at that, it's only stored as a 12-character hash. One _so_ lame, that only 194,560 possibilities exist. How long does a modern computer take to run through that many loops? :-( Signature.NET: It's About Trust! http://vfred.mvps.org I don't propose to go into any kind of detail in a public forum but, as I'm sure both Karl and Jonathan know, it is not necessary to crack the actual password at all to be able to access VBA projects. SignatureEnjoy, Tony >> The VBA project password has a maximum of 32 characters - again, anything >> longer is ignored. > > And, even at that, it's only stored as a 12-character hash. One _so_ > lame, that only 194,560 possibilities exist. How long does a modern > computer take to run through that many loops? :-( > I don't propose to go into any kind of detail in a public forum but, as I'm > sure both Karl and Jonathan know, it is not necessary to crack the actual > password at all to be able to access VBA projects. Exactly. It's a damned crime, really. I've had folks drop their jaw when I showed them how easy it was to get into their code. We'd be discussing how to fix something, I'd have an "encrypted" copy "to see the behavior", they'd want me to sign an NDA to see the source... I'd tell 'em what routine needed to be patched up and how. "Huh, wha...the...f...?" Heh... Sad. Though, that revelation often gets me a job exposing the valued algorithms from a VB6 DLL. >>> The VBA project password has a maximum of 32 characters - again, anything >>> longer is ignored. [quoted text clipped - 5 lines] >> .NET: It's About Trust! >> http://vfred.mvps.org Signature.NET: It's About Trust! http://vfred.mvps.org I would also add a warning here that Word 2007 does not offer all the options for strong encryption that Word 2003 does for .doc (Word 97-2003 format) files although it claims (I haven't tested the claim so can't pass comment on it) to offer stronger encryption for .docx ("Word 2007 format) files. SignatureEnjoy, Tony > Additional info: > [quoted text clipped - 60 lines] >> personnel to make it clear that malicious tampering with the template >> is a disciplinary offence. |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.