With a strong password of 10+ characters, mixed case, etc... is the encryption of an Excel 2007 document secure enough to create reasonably strong defense against a brute force attack?
What encryption method does Excel 2007 employ?
Asked
Active
Viewed 1.7k times
6
-
It's AES128 with symmetric key encryption so you need proper 128bit key, so many password might not work – Andrew Smith Jul 26 '12 at 15:30
-
1When in doubt, [TrueCrypt](http://truecrypt.org). – Iszi Jul 26 '12 at 16:23
-
Yeah true, if you encrypt twice it's much less likely that two keys will be cracked, so you could use both at the same time – Andrew Smith Jul 26 '12 at 16:44
2 Answers
10
According to the Microsoft whitepaper and a few other MSDN blog sources, the following specs are defined:
- Key derivation is performed using 50,000 iterations[source] of SHA-1 (increased to 100k in SP2).
- Uses a 16-byte (128-bit) random salt.
- AES is the block cipher used to encrypt the document.
- By default, 128-bit key are used. There is a registry tweak to change this to 256-bit.
- The AES block cipher is implemented in Microsoft's CSP / CryptoAPI.
Older versions of Office use RC4, which is now deprecated and not recommended.
In summary, I'd say yes, with a good password this is going to be difficult to crack.
Modern GPU hash cracking tools can reach around 3.2 billion hashes per second on a powerful graphics card. With the default options, the KDF used will reduce that to roughly 64k hashes per second.
Assuming ten characters (a-z, A-Z, 0-9) you're looking at a key space of 840,000,000,000,000,000 (8.4x10^17) possible passwords, so that's around 210 thousand years before you hit a 50% likelyhood of cracking the password.
If you're storing financial information, take a look at these registry tweaks for Office 2007 SP2 that allow you to alter some security parameters. For a decent increase in security, set the CipherKeyBits value to 256, and the PasswordSpinCount value to 1,000,000 or higher. At that point, I'd personally trust it to be reasonably safe against even determined attackers. If you're super-paranoid, you could always put the files in a TrueCrypt volume too!
Glorfindel
- 2,235
- 6
- 18
- 30
Polynomial
- 132,208
- 43
- 298
- 379
-
thanks for that info, I couldn't seem to find that anywhere. With that being said, is it reasonable to assume this encryption method is adequate for storing financial information in a spreadsheet? – v15 Jul 26 '12 at 15:56
-
3@zm15 If you're storing financial information, take a look at these [registry tweaks](http://blogs.msdn.com/b/david_leblanc/archive/2009/05/20/office-2007-sp2-encryption-settings.aspx) for Office 2007 SP2 that allow you to increase the KDF iteration count and cipher key bits. Set the `CipherKeyBits` value to 256, and the `PasswordSpinCount` value to 1000000. At that point, I'd *personally* trust it to be safe. If you're super-paranoid, you could always stick the files in a TrueCrypt volume too! – Polynomial Jul 26 '12 at 15:59
-
Great, Thanks Polynominal! if i change these settings in the registry on a PC, and open it on a Mac, will the document still be that strong? Or will it only apply on the windows pc where i changed the registry? – v15 Jul 26 '12 at 16:27
-
@zm15 Yes, it'd still be strong. The iteration count is stored as part of the hash. – Polynomial Dec 10 '12 at 15:03
1
Already answered on Super User, so just let me quote that answer:
When I lost my Excel password, I did quite a research only to find out that all password recovery programs can't gurantee successful restoration of lost password. If the password was long and complex, it may take years for them to find it. The only way to reliably remove password from Excel 2007 or later version (I had Excel 2010) that I have found was online service called www.password-find.com. It exploited some new algorithm that allows removing password instantaneously (removed my within several seconds). However it does not work for 100% of documents, so check it by yourself - maybe the developers improved it since then. If your document is saved in old Excel 97-2003 format you may try Free Excel password Recovery that someone mentioned already - it may work if lost password is really simple. I hope my post will save you a huge amount of time I wasted looking for some problem resolution.
So as you see, Excel 2007/2010 protection can be cracked instantaneously, and thus can't be considered strong any more.
Anders
- 64,406
- 24
- 178
- 215
Chris from FloCity
- 21
- 1
-
`Unfortunately, Password-Find could not remove the protection because your document does not have any explicit vulnerability. And yet, there's still a possibility of getting access to the contents of your file. The password for your document can be found with the help of a supercomputer. Your password protected file will be uploaded to the secure server, and our supercomputer will do its best to recover the password. Do you want to find the password for your file?` and then pay. – A.D. Mar 13 '14 at 18:45