How Secure is Excel?
Microsoft Office password protection is a security feature to protect Microsoft Office (Word, Excel, PowerPoint) documents with a user-provided password. As of Office 2007, this uses modern encryption; earlier versions used weaker systems and are not considered secure. Office 2007–2013 employed 128-bit key AES password protection which remains secure. Apr 14, 2017 I just want to note for a few other people that there is a difference between cracking a password to open an excel file, and a password that locks data within a spreadsheet/workbook. Most of the cracking tools you see out there for Excel 2010.
There is not a great deal of documentation out there about how Excel handles password security, however concerns always seem to be brought up about how safe files really are while using the built-in password protection. I am in no way an expert in security or encryption but thanks to a little research, I believe I can fill you in on how Excel stores your passwords and if your worksheet and workbook level protections are really safe.
Microsoft intentionally designed the protection of its Excel worksheet and workbook levels (accessed via the Review tab in the Excel Ribbon) in order to provide a backdoor to models or files that analysts may have accidentally been locked out of. By taking this route, they made the decision not to make the encryption for those levels very strong. However, Microsoft did make the Excel file level protection extremely strong and if this password were to be lost, the file would be rendered useless.
Digging Into Excel's OpenXML Code
Many don't know this, but every individual Excel file is really a .zip file. Don't believe me? Go to one of your Excel files on your computer and change its extension from .xlsx to .zip. Magically your Excel file is transformed into a bunch of files with lots and lots of computer (OpenXML) code! This is important to know as this is where you can dig into how an Excel file is made up. Likewise, if you understand how these zipped files are written and organized, you can determine settings, data, and even password information made by the user who created the Excel file. I won't go into detail on where to find the password information however I will show you an example of how the code is written in both Excel 2007-2010 and in the more secure Excel 2013 version.
What Are Hashes?
Here's a fun fact: Excel does not actually store the password you input! Like most password protection software out there, the Excel Application stores a string of data called a Hash. A Hash is the output from a Hash Algorithm (complicated mathematical equation) that turns any user-generated password into a jumbled-up string of (appearingly) meaningless characters. The below XML code was inside a workbook where I used the password 'SpreadsheetGuru' to protect a blank worksheet.
Sheet 1 of workbook with sheet protected using SpreadsheetGuru as the password in Excel 2007
Notice that the phrase 'SpreadsheetGuru' is nowhere to be found. However, there is a small 4 letter password within the code. This is Excel's hash value that was created from the input of SpreadsheetGuru into its Hash Algorithm. Since Microsoft chose to make the hash length so small, there are only a limited number of combinations the hash can be (the hash is made of up of only numerical and alphanumerical characters). This means that there are multiple passwords that can unlock a worksheet protected with the password SpreadsheetGuru. For example, you could protect a spreadsheet with the password SpreadsheetGuru but unlock it with the password AABBAAAABAB@. These two phrases output the same hash in Excel Hashing Algorithm. Essentially this means that there are multiple passwords that can unlock an Excel 2010 or prior worksheet. Below is another illustration of how simplistic the password protection is prior to Excel 2013.
To determine a usable password for a locked Excel worksheet or workbook, a hacker can use a Brute-Force attacking program to cycle through all the possible hash values. Since the hashes are so short, there is a very manageable amount combinations the program would need to test on the desired file. With today's computers, this would only take a few seconds and can easily be accomplished with and Excel VBA macro. Needless to say, if you are wanting to protect sensitive information or intellectual property, Excel workbook and worksheet protection is probably not the best solution to use within version prior to 2013.
Excel 2013 Increased Its Security
With the release of Excel 2013, Microsoft made a more considerable effort to increase the protection of its workbooks and worksheets. Take a look at what the Excel 2013 OpenXML code looks like in comparison to the OpenXML code shown for the Excel 2007 version while using the same password: SpreadsheetGuru.
Notice that the Hash is much longer and more complex than the four-character-long string in prior versions of Excel. This is great news, as the added complexity means every unique password you can possibly enter in, no longer shares a hash value with other passwords.
Encryption In Excel
Notice also that the Microsoft developers added an additional variable to the password information, called a Salt Value. Salt adds another layer of protection by adding a meaningless string of characters to the user generated password. Look at the diagram below and see how adding a salt value ensures a more complex password entering into the Hash Algorithm.
Microsoft took its Salt value one step further and made it variable so that every time a password is entered in by a user, the stored Salt value is different. For example, I protected two spreadsheets in the same Excel 2013 workbook with the password SpreadsheetGuru. Notice below that both sets of code have different Salt values which ended up giving the two spreadsheets different hash values. If the hacker does not know the unique Salt value, it is much harder to reverse engineer which password was generated by the user. By incorporating a Salt value, a hackers computation goes from processing thousands of combinations to BILLIONS of combinations. This provides a much more secure way of protecting your spreadsheet work via Excel 2013.
Sheet 1 of workbook with sheet protected using SpreadsheetGuru as the password in Excel 2013
Sheet 2 of workbook with sheet protected using SpreadsheetGuru as the password in Excel 2013
Understanding How To Control Your Password Protection Strength
This is probably the most important part of this article as it is vital that you understand how secure your workbooks and worksheets are. While Excel's password security is still relatively simple (from an experienced computer hacker's point of view) to break, there is now a huge gap in the level of security provided by versions of Excel prior to 2013 versus the versions following 2010.
The strength of security depends on which version of Excel you place the protection NOT the version it is created.
For example, if you created a password protected worksheet in Excel 2007 then unlocked & re-locked the same spreadsheet in Excel 2013, your worksheet would now have Excel 2013 level password protection (with the longer Hash and Salt Values). This scenario would obviously work in your favor as Excel 2013 security is much harder to get past. However, the opposite could happen to where you decrease the protection strength of a file by re-protecting an Excel 2013 file inside of Excel 2010. This would place your protection in grave danger as there are a lot of free macros floating around out there that can easily break into an Excel 2010 or 2007 protected file. If you have sensitive files that were protected in Excel 2010 or earlier you may want to go back and re-protect them in Excel 2013 to obtain this higher level of security for your workbooks.
Other Resources You Should Check Out
There is a lot of good information out there about password encryption and it's actually pretty interesting. Here are a few articles I used in my own research to help me better understand how all of this stuff works.
You May Also Want To Check Out!
My Password Recovery add-in will allow you to recover any lost password that was protected within Excel 2010 and prior. The add-in runs in Excel 2007 - 2013 and can even remove passwords from multiple worksheet tabs at the same time! Proceeds from this add-in go towards paying the costs to run this website and keeping it AD-FREE! So check out the promotional page by clicking the button below to see if this add-in can ease your pain of dealing with forgotten worksheet passwords.
You can learn more by visiting the Promo Page: http://www.thespreadsheetguru.com/passwordrecovery Re-gain access to your valuable Excel worksheets and workbooks that were protected by an Excel 2007 or 2010 program. Also remove the protection of any regularly protected VBA project!','source':'You can learn more by visiting the Promo Page: http://www.thespreadsheetguru.com/passwordrecovery Re-gain access to your valuable Excel worksheets and workbooks that were protected by an Excel 2007 or 2010 program. Also remove the protection of any regularly protected VBA project!
'},'hSize':null,'floatDir':null,'html':'Microsoft Excel Encryption Code
','url':'http://youtu.be/uODvzF_q5F8?rel=0','width':854,'height':480,'providerName':'YouTube','thumbnailUrl':'http://i.ytimg.com/vi/uODvzF_q5F8/hqdefault.jpg','resolvedBy':'youtube'}'>Share This Post!
Did you find this post helpful? Do you want to support this blog because you're just that awesome?! By sharing this post on Facebook, Twitter, or Google+ you are not only providing others with great information, you are creating exposure for The Spreadsheet Guru website. Growing this community is my number one goal as I have found learning to increase exponentially when lots of people are contributing to the conversation. Learning is the whole reason why this blog exists! If you want to spread the word just click on the Share button right below this paragraph (next to the Like button -- I enjoy 'likes' too!) or on the Floating Share Bar to the left and select your preferred social medium. Thank you so much for reading and I hope I can continue to provide you with great content in the future! Cheers!
Active3 years, 1 month ago
Although there are Office 2013 settings to change how encryption is performed, when you encrypt Open XML Format files (.docx, .xslx, .pptx, and so on) the default values — AES (Advanced Encryption Standard), 128-bit key length, SHA1, and CBC (cipher block chaining) — provide strong encryption and should be fine for most organizations.
Quoted from http://technet.microsoft.com/en-us/library/cc179125.aspx . I can't figure out where is the setting to change how encryption is performed.
Is there any possible to change the encryption algorithm being used instead of the default AES-128 ?
Thanks.
iridescentiridescent
2 Answers
Before I tell you how, let me first repeat the advice from... everywhere... and say don't. Unless you have a really, really good reason, don't change the encryption settings from the default, because it's going to cause you a lot of headaches, and probably not provide much benefit.
Having said that, the encryption behavior in Office is controlled through the registry, so that's where you need to go.
- You can use the Office Customization Tool.
- The Office Customization Tool (OCT) reference for Office 2013 is here.
The OCT is available only with volume licensed versions of Windows Installer-based Office 2013, Office 2010, and the 2007 Office system.
- The document you quoted in your question is referencing options in the OCT, so that's probably why you can't find them - they're not configured through any particular Office application.
- The Office Customization Tool (OCT) reference for Office 2013 is here.
- Download and use the Office 2013 Administrative Template files.
- The documentation for your available settings and what they do is here.
- The documentation for your available settings and what they do is here.
- You can edit the registry.
- The registry key that controls the Office encryption settings is:
HKCUSoftwarePoliciesMicrosoftOffice14.0CommonSecurity
- It's a
REG_SZ
data type, and the value should be something like:Microsoft Enhanced RSA and AES Cryptographic Provider,AES 128,128
- The formatting of the key value is comma separated values for the cryptographic provider, the encryption algorithm and key length.
- Changes to this key only take effect if you don't have crypto compatibility mode set (
HKEY_CURRENT_USERSoftwareMicrosoftOffice14.0SecurityCryptoCompatMode
- a value of1
means compatibility mode is on, a value of0
means it's off).
- It's a
- The registry key that controls the Office encryption settings is:
Microsoft Excel Encryption Strength
1,83933 gold badges1919 silver badges2929 bronze badges
In Access 2013
Under File - Options - Client Settings (scroll to the bottom)...
Encryption Method = Use legacy
Dr YunkeDr Yunke