Microsoft Excel - Password Protection

Password Protection

Microsoft Excel protection offers several types of passwords:

• password to open a document
  
• password to modify a document
  
• password to unprotect worksheet
• password to protect workbook
• password to protect the sharing workbook
  

All passwords except password to open a document can be removed instantly regardless of Microsoft Excel version used to create the document. These types of passwords are used primarily for shared work on a document. Such password-protected documents are not encrypted, and a data sources from a set password is saved in a document’s header. Password to protect workbook is an exception – when it is set, a document is encrypted with the standard password “VelvetSweatshop”, but since it is known to public, it actually does not add any extra protection to the document. The only type of password that can prevent a trespasser from gaining access to a document is password to open a document. The cryptographic strength of this kind of protection depends strongly on the Microsoft Excel version that was used to create the document.
In Microsoft Excel 95 and earlier versions, password to open is converted to a 16-bit key that can be instantly cracked. In Excel 97/2000 the password is converted to a 40-bit key, which can also be cracked very quickly using modern equipment. The success rate of this operation is 100%. As regards services which use rainbow tables (e.g. Password-Find), it takes up to several seconds to remove protection. In addition, password-cracking programs can brute-force attack passwords at a rate of hundreds of thousands of passwords a second, which not only lets them decrypt a document, but also find the original password. In Excel 2003/XP the state of affairs is slightly better – a user can choose any encryption algorithm that is available in the system (see Cryptographic Service Provider). Due to the CSP, an Excel file can't be decrypted, and thus the password to open can't be removed, though the brute-force attack speed remains quite high. Nevertheless, the older Excel 97/2000 algorithm is set by the default. Therefore, users who did not changed the default settings lack reliable protection of their documents. The situation changed fundamentally in Excel 2007, where the modern AES algorithm with a key of 128 bits started being used for decryption, and a 50,000-fold use of the hash function SHA1 reduced the speed of brute-force attacks down to hundreds of passwords per second. In Excel 2010, the strength of the protection by the default was increased two times thanks to the use of a 100,000-fold SHA1 to convert a password to a key.
Conclusion: Currently, reliable protection is provided only by documents saved in the Office 2007/2010 format with a strong password to open set to them.