18

I understand the purpose of Microsoft Word is not to store secret information.

However, I would rather spread my secret information between a Password Manager and a Word document, each of which has separate secure passwords.

Is a password-protected Word document from Office 365 (2020) sufficiently secure to store financial information?

Wikipedia seems to suggest it is, but I'm still someone who doesn't herald Wikipedia's information as gold-standard.

If Word is not secure enough, are there other alternatives that are non-password manager based that would be secure enough?

elsadek
  • 1,782
  • 2
  • 17
  • 53
EML
  • 809
  • 5
  • 11
  • 57
    Why exactly? Password managers do exactly the job you need them to do. "Spreading" information isn't a good idea. It's like saying you're worried that a hammer might break, so you drive in half of the nails with a hammer, and half of them with a frozen cucumber. –  Dec 07 '20 at 10:59
  • 4
    Please define "secure enough". What is your threat matrix? What attack vectors are you specifically/most concerned about? Are you a security researcher? A VIP or someone with access to sensitive/valuable information at a high level/large scale? Or are you just a fellow security-conscious citizen? If the latter, then a sticky note on your desk is usually "secure enough". – TylerH Dec 07 '20 at 18:25
  • 4
    What's your threat model? If you use the same password for your bank as you do for some shady blog site then your bank password is compromised as soon as the blog site gets pwned. This is true regardless of whether the password was stored in Word, a password manager, or a sticky note in a bottle 20,000 leagues under the sea. – MonkeyZeus Dec 07 '20 at 19:44
  • 1
    Would you trust an **open source password manager**? – usr-local-ΕΨΗΕΛΩΝ Dec 09 '20 at 11:10
  • Why not ask your bank, or insurer? Could anyone else's view - including mine - be as important as theirs? If they were wholly wrong, wouldn't taking them to court to prove your case be prohibitively expensive. You might be wholly right yet what about Wikipedia's thoughts do you not like? (By the way, your use is nothing like what "gold-standard" ever meant.) Don't password managers make your hacker's day, giving a single point to attack instead of a separate fight about each account? Don't managers also make remembering your passwords almost impossible? – Robbie Goodwin Dec 10 '20 at 20:47
  • @RobbieGoodwin are you suggesting not to use password managers? – EML Dec 11 '20 at 21:58
  • @EML Yes, very clearly I'm suggesting you never even think about password managers. My understanding is that PWM save Users the hassle of remembering 12 or 37 or how many PW and that's the only benefit… Is that wrong? Two parts of that matter greatly. If your management technique increases security, it is applicable to each PW individually. Every PWM I've heard of chunks your secrets into one key, with two glaring downsides. Your PWM is no harder to hack than any individual PW. PWM almost guarantees that should it matter, you would not remember your PW. Ask your SP. – Robbie Goodwin Dec 13 '20 at 01:36

4 Answers4

45

By default, Microsoft Office 2016* uses AES-256-CBC with 100000 rounds of SHA1 for password verification using a 16 byte salt. AES256 is currently considered the industry standard by many for symmetric encryption. SHA-1 isn't considered a very secure algorithm for password storage since it's a fast algorithm and can be accelerated massively using GPUs. However, since a 100000 iterations are used, this weakness is mitigated to some extent (although it still isn'tanywhere near as good as a dedicated password hashing function like bcrypt/argon2), and if you use a strong password, it shouldn't matter either ways. So the cryptography used by Office 2016 is strong enough to be currently uncrackable provided a sufficiently strong password is used.

Does having strong encryption make Office a good choice for storing financial information?

Probably not. Word creates lots of temporary files when it opens a document which probably aren't encrypted. These files will usually be recoverable for some time even after they have been deleted and could easily leak the contents of your file unencrypted.

*Office 2013 uses AES-128 which is also perfectly secure

nobody
  • 11,251
  • 1
  • 41
  • 60
  • 3
    Just FYI, you can [easily remove password protection from Office files](https://stackoverflow.com/questions/1026483/is-there-a-way-to-crack-the-password-on-an-excel-vba-project) using VBA. I have done this myself a few times. – TylerH Dec 07 '20 at 18:29
  • 35
    @TylerH That's a removing a simple password protection that uses macros with no encryption involved. [Protecting the entire document or workbook with a password](https://support.microsoft.com/en-us/office/protect-a-document-with-a-password-05084cc3-300d-4c1a-8416-38d3e37d6826) is completely different, the file is encrypted with the password and the only way to decrypt it is to bruteforce the password/encryption. For a sufficiently strong password, this is unfeasible on Office 2013 and above. – nobody Dec 07 '20 at 18:47
  • 1
    I have used the methods linked to remove protection from an entire document and workbook before, so no, it's not different. – TylerH Dec 07 '20 at 18:53
  • 34
    @TylerH Create a new workbook, enter some random data, encrypt it using the procedure in the link in my comment above and try recovering the contents. If you succeed in breaking the encryption, well then congratulations! You have either found a glaring flaw in Office and Microsoft will surely give you a large bounty, or else you have broken the Advanced Encryption Standard and your name will soon be in the headlines. – nobody Dec 07 '20 at 18:58
  • The first sentence needs a rewrite. It should be like "AES-256-CBC for encryption and SHA-1 for key derivation from password with 100K iteration". Also, Massive GPUs also enables parallel runs. The problem with standard cryptographic hash function when used for password hashing they are not memory-hard functions and they are designed to be fast and we don't want either. It is a shame on MS that doesn't use Scrypt or PBKDF2 or Argon2 for key derivation from passwords. Also, the MS office uses lots of temporary files that leave data on the disk that is recoverable. – kelalaka Dec 08 '20 at 19:07
  • @kelalaka About the first sentence, its not really clear to me from Microsoft's documentation whether the 100000 rounds are for password verification or key derivation, so I'm not sure exactly how to phrase that sentence. About the rest, you are absolutely right, but I didn't want to complicate the answer with the exact semantics of what makes a hash weak for passwords, since that's not what this question is about, and is already covered well in other questions on this site and crypto.se. – nobody Dec 08 '20 at 19:57
  • According to Wikipedia [SHA1 is used for key stretching](https://en.wikipedia.org/wiki/Microsoft_Office_password_protection#cite_note-msdn.microsoft-2) – kelalaka Dec 08 '20 at 21:11
  • 2
    100,000 iterations of SHA-1 doesn't accomplish diddly. It's just too fast. And for it's real intended use case, it should be fast. You also didn't mention "salt". Unsalted SHA-1 hashes are exactly what rainbow tables were created to crack. You need random, different salt per password at the very least, and you really need to be using an algorithm like scrypt, bcrypt, or at least pbkdf2. I know the question isn't about password hashing, but somebody could also happen across this and get the idea that plain SHA-1 is a good solution for passwords when it isn't, even with multiple passes. – Craig Tullis Dec 09 '20 at 00:39
  • For what it's worth, here's the Microsoft doc on this: https://docs.microsoft.com/en-us/deployoffice/security/cryptography-and-encryption-in-office – Flydog57 Dec 09 '20 at 00:59
  • Also, as a caveat, you don't get the strong AES encryption if you're opening Word documents created with older versions of Word in Word 2013, 2016, or 2019 unless you break compatibility and convert the documents to the latest standard and re-encrypt them. Plus, as you say, the temp files may or may not be fully protected and could expose information. – Craig Tullis Dec 09 '20 at 01:19
  • @kelalaka The docs seem to imply its for password verification: *specify the number of times to spin (rehash) the password verifier. The default is 100000* – nobody Dec 09 '20 at 06:33
6

A password protected Word document is absolutely not sufficiently secure to guarantee security. Multiple iterations of Word's password protection has been broken multiple times.

Just use a password manager.

EDIT: I would have ideally expanded on this a little bit, but time was short.

Word 2013 and 2016 moved on from the weak ciphers they used in the past when password protecting documents. The problem is that if you're using backward-compatible document files (.doc, instead of .docx), then you're still using the old broken ciphers. There is also a possibility of the data being exposed in temp files or in memory.

You can attach files, including Word documents to records in KeePass, LastPass, 1Password, and other password managers.

You can also use whole-disk encryption, like Microsoft's bitlocker, Apple's Filevault if you're on a Mac, or Veracrypt.

Alternatively, you could use a solution that automatically encrypts all of the files in specific directories. These can be great in conjunction with cloud file services that don't encrypt your files.

Or you could use a cloud file service that does encrypt your files, such as ProtonDrive, or PCloud's encrypted folder option.

As for password managers, Keepass is great. I love it, and it's open source. But I finally moved on to cloud-based password managers because I have three desktop machines (two Windows, 1 Mac), two laptops (Windows, Mac), a smartphone, and an iPad, plus a VMware server running various other server and workstation instances, and syncing my Keepass file(s) between all of the devices where I need access just became a pain in the neck. I researched LastPass, initially, and satisfied myself that they're doing the cryptography right. Later, I checked out 1Password in depth and came to the same conclusion. There are others. I'm not trying to make product endorsements here.

Craig Tullis
  • 1,483
  • 10
  • 13
  • 2
    What do you mean by use a password manager? Use a password manager like KeePass to store the financial information? How can you use it to store financial informations? – robertspierre Dec 07 '20 at 03:46
  • 8
    @raffaem Many, if not all, password managers all you to store notes and unstructured data. – schroeder Dec 07 '20 at 09:37
  • @craig the title of the question was about passwords, but the body of the question was about storing non-password data. – schroeder Dec 07 '20 at 09:38
  • 2
    @raffaem you mention KeePass, which I use. It's ideal as a secure notebook for small pieces of information. For example I've used it to take a note of bank account details (on my phone) to later transfer money. I don't know if the "notes" field has a size limit but it holds plenty of plaintext. The only possible worry is shoulder-surfing of this information on the desktop version, as it's displayed in the clear in the "edit entry" view. But of course that would be the case in Word too – Chris H Dec 08 '20 at 08:45
  • This is the first I'm getting back to this. Keepass is great. Honestly, so are cloud services LastPass and 1Password, and they're more convenient. Password-protected Office documents just aren't up to the task. If you need to store more data than Keepass, LastPass, 1Password, or another password manager permits you to store, first consider that you can attach files to all of those solutions. So just attach your word doc to a record in your password manager. Failing that, look into encrypted file storage solutions. Cloud offerings include things like ProtonDrive and PCloud's encrypted folder. – Craig Tullis Dec 09 '20 at 00:43
  • 1
    @Craig's right. I went for KeePass over a cloud-based option for a few reasons: I sometimes need to retype rarely-used machine logins in a basement with poor signal; I need(ed) Windows/Linux/Android support; I don't trust cloud services enough for my master copy, only for convenience/syncing. My KeePass database syncs over Dropbox (I don't put much faith in the minimal additional outer layer of security Dropbox provides). I haven't tested KeePass attachments as I don't have to transport the little truly confidential data I have - but they're an option, as are "string fields" – Chris H Dec 09 '20 at 15:53
  • @ChrisH KeePass attachments work just fine. ;-) – Craig Tullis Jan 14 '21 at 20:42
  • 1
    Nice one @Craig, thanks. Maybe I should photograph my IDs etc and store them in there – Chris H Jan 14 '21 at 20:57
  • 1
    @ChrisH you certainly could! – Craig Tullis Jan 14 '21 at 20:58
2

To echo Craig:

No, it is in no way secure. You need to use a Password Manager or other appropriate database with sufficient encryption to protect financial or other sensitive data.

In addition, it at least used to be trivial to get past password-protected Office documents.

Community
  • 1
coderichardson
  • 180
  • 6
0

You can switch to LibreOffice, in this case, LibreOffice Writer, and the Open Document Format.

LibreOffice allows you to encrypt documents with GPG keys, which, as far as I know, are very secure.

Of course you should use also a Password Manager (like KeePass) in conjunction to generate an alphanumeric long password needed to open the document, and store the password in the Password Manager.

The length of the password would depend on the password generation process and the length of the cipher you use.

If you use a 256 bit cipher, you would need a password with a 256 bit of entropy.

There are 26 letters in the english alphabet, if you use an alphanumeric case-sensitive password, you would have 26*2+10=62 possible characters for each slot in the password.

Given N the length of your password, the entropy of such a password would be:

log2(62N) = N log2(62) = 256 ⇒ N = 256/log2(62) = 43 characters.

Didier L
  • 113
  • 4
robertspierre
  • 495
  • 2
  • 11
  • 10
    Is Word not sufficient? You don't cover that part. – schroeder Dec 07 '20 at 09:36
  • 3
    One of the very few advantages of Word is that a recent version is available on almost all corporate systems, even fairly heavily monitored/restricted ones (similarly I've worked in places where office VBA was the only programming environment) – Chris H Dec 08 '20 at 08:50
  • 1
    @ChrisH You'd be crazy to edit your own personal documents, particularly security-sensitive ones, on a corporate system. – Craig Tullis Dec 09 '20 at 01:48
  • @Craig they're not necessarily personal documents in the Q. I sometimes forget what it's like in other places - I'm in academia now where the line between personal and work isn't all that clear and people have always done personal stuff on work systems/email accounts, but even when I worked in industry (in the UK), working on something like a personal budget, or typing some personal correspondence in your lunch break on a work machine would have been accepted. – Chris H Dec 09 '20 at 06:44
  • @ChrisH I suspect what Craig is referring to is not "are you *allowed* to do reasonable personal stuff on a work computer" but more like "is it a good idea since your employer would have the right to go looking through your stuff". Depending on the employer, that can be a real concern - in my experience, the larger the company the more likely that the network, etc. will be secure (because they have the staff to do things right) but at the same time the more control they exert over your work computer, including any "personal" items on it. – manassehkatz-Moving 2 Codidact Dec 09 '20 at 07:14
  • 1
    @manassehkatz-Moving2Codidact My examples were meant to be those where the company (HR, payroll, possibly line manager) would know something already but you might not want immediate colleagues to know. Here in the UK we have greater employee protections including relating to privacy and monitoring, though contracts often amount to consent to some monitoring. I'd certainly draw the line well short of content that could lead to disciplinary action or redundancy (e.g. job hunting) though I think I wrote my last resignation letter on the work PC for reasons of timing - but they already knew. – Chris H Dec 09 '20 at 08:49