7

At my old job, we used an open-source, (IMO) secure method for managing network infrastructure, and other important hosts' passwords [with Keepass]. At my new job however, it seems like they're using password-protected excel spreadsheets.

Before I made a fuzz about password security, I browsed the interwebs and found that Microsoft has been getting better at implementing encryption features to their office products.

Main questions:

  • How safe is MS Excel/office 2010's password encryption feature? I've been thinking this was an insecure way of dealing with passwords, is this not the case any more?
  • Are there many drawbacks to using an excel 2010 document for password management?
l0c0b0x
  • 11,697
  • 6
  • 46
  • 76
  • If time wasn't 'of the essence', I'd just move our management to Keepass (or something like that). I'd like to see how big of a priority/issue this is. – l0c0b0x Feb 06 '12 at 20:23
  • 1
    As you know, I like keypass. Though there are some issues with it. Most of the apps don't allow you to share a single database. The app errors out. We setup a VCS, so people could have local copies, and we could track changes, but this does take some effort. Something like lastpass enterprise might be a choice as well. – Zoredache Feb 06 '12 at 22:05

2 Answers2

9

I wouldn't recommend it. There ARE still methods of cracking these quite easily. I personally recommend a Truecrypt volume that contains a Keepass database. It servers me well and is extremely portable. And I'm using it in an environment with thousands of passwords.

EDIT: And Keepass is already well laid out for password management. With a nice GUI(i.e., easy to see what password is which type) and built-in password generators...can't go wrong.

Publiccert
  • 1,110
  • 1
  • 8
  • 22
  • 3
    +1 - KeePass (or KeePass 2) is very good, just as long as you can keep your master tokens safe. – Mark Henderson Feb 06 '12 at 20:38
  • Well said. I use a VERY long phrase with standard character substitution for spaces and certain characters with special ones. Works well, and is easy to remember. Good luck cracking my 11 word, 23 special character phrase...unless you've got a hammer :/ – Publiccert Feb 06 '12 at 20:43
  • 3
    @Publiccert Well, now that you've narrowed it down for me... :) – Aaron Copley Feb 06 '12 at 20:49
3

Microsoft has made great strides with encryption in each release of Office -- Office 2000 encryption was a complete joke. Office 2003 encryption was substantially better, and office 2010 is better still.

Having said that, Excel is NOT designed to be a secure password store, and I would NOT trust it as one.
Many people lose their Office document passwords every day -- because of this there are many motivated people working on ways to recover document passwords (or alternatively decrypt the documents), and if someone discovers a way to break Excel document encryption you can expect that MS Office users the world over will be hailing them as a savior (while malicious attackers are decrypting your document and stealing your passwords).

Password security should be taken seriously: Time may be "of the essence", but a substantially greater loss (in man-hours and potentially real dollars) will result from a security breach.
Take the time to implement a proper, well-though-out solution (like Keepass). It will serve your company better in the long run.
Until that time I suggest a PGP-encrypted file, and to provide emergency access to management KeySure boxes (which also show you that the password was accessed, as you must break the box apart to get at its contents).

voretaq7
  • 79,345
  • 17
  • 128
  • 213