Microsoft Office password protection
Microsoft Office password protection is a security feature that allows Microsoft Office documents (e.g. Word, Excel, PowerPoint) to be protected with a user-provided password.
Types
[edit]There are two types of passwords that can be set to a document:[1]
- A password to encrypt a document restricts opening and viewing it. This is possible in all Microsoft Office applications. Since Office 2007, they are hard to break if a sufficiently complex password was chosen.[citation needed] If the password can be determined through social engineering, the underlying cipher is not important.
- Passwords that do not encrypt but restrict modification and can be circumvented.[2]
- In Word and PowerPoint the password restricts modification of the entire document.[3]
- In Excel passwords restrict modification of the workbook, a worksheet within it, or individual elements in the worksheet.
History of Office encryption
[edit]Weak encryptions
[edit]In Excel and Word 95 and prior editions a weak protection algorithm is used that converts a password to a 16-bit verifier and a 16-byte XOR obfuscation array[1] key.[4] Hacking software is now readily available to find a 16-byte key and decrypt the password-protected document.[5]
Office 97, 2000, XP and 2003 use RC4 with 40 bits.[4] The implementation contains multiple vulnerabilities rendering it insecure.[5]
In Office XP and 2003 an opportunity to use a custom protection algorithm was added.[4] Choosing a non-standard Cryptographic Service Provider allows increasing the key length. Weak passwords can still be recovered quickly even if a custom CSP is on.
AES since Office 2007
[edit]In Office 2007, protection was significantly enhanced by using AES as a cipher.[4] Using SHA-1 as a hash function, the password is stretched into a 128-bit key 50,000 times before opening the document; as a result, the time required to crack it is vastly increased, similar to PBKDF2, scrypt or other KDFs.[citation needed]
Office 2010 employed AES and a 128-bit key, but the number of SHA-1 conversions doubled to 100,000.[4]
Office 2013 uses 128-bit AES, again with hash algorithm SHA-1 by default.[6] It introduces SHA-512 hashes in the encryption algorithm, making brute-force and rainbow table attacks slower.[citation needed]
Office 2016 uses, by default, 256-bit AES, the SHA-2 hash algorithm, 16 bytes of salt and CBC (cipher block chaining).[7]
Attacks that target the password include dictionary attacks, rule-based attacks, brute-force attacks, mask attacks and statistics-based attacks. Attacks can be sped up through multiple CPUs, also in the cloud, and GPGPU (applicable only to Office 2007-10 documents).[citation needed]
Excel worksheets and macro protection
[edit]The protection for worksheets and macros is necessarily weaker than that for the entire workbook, as the software itself must be able to display or use them.[citation needed]
For XLSX files that can be opened but not edited, there is another attack. As the file format is a group of XML files within a ZIP; unzipping, editing, and replacing the workbook.xml file (and/or the individual worksheet XML files) with identical copies in which the unknown key and salt are replaced with a known pair or removed altogether allows the sheets to be edited.[citation needed]
References
[edit]- ^ a b "[MS-OFFCRYPTO] Office Document Cryptography Structure" (PDF). Microsoft Corporation. 2021-10-05. pp. 60–65. Archived (PDF) from the original on 2023-04-11.
- ^ "How to Open a Password-Protected Excel File". wikihow.com. Retrieved 2024-01-24.
- ^ "Password protect documents, workbooks, and presentations". Office.microsoft.com. Retrieved 26 December 2012.
- ^ a b c d e "Microsoft Office File Format Documents". Msdn.microsoft.com. Retrieved 26 December 2012.
- ^ a b Wu, Hongjun (2005). "The Misuse of RC4 in Microsoft Word and Excel" (PDF). Institute for Infocomm Research, Singapore.
- ^ "Cryptography and encryption settings for Office 2013". docs.microsoft.com. 26 December 2016. Retrieved 4 July 2018.
- ^ DHB-MSFT. "Cryptography and encryption in Office 2016". docs.microsoft.com. Retrieved 2018-12-07.