MS Office 2013 Password Protection – How Good?

How secure is the password protection for documents in Office 2013? I’ve looked on the web and there seem to be a lot of tools claiming to be able crack them but in reality how good is it?

Bump…

I know it’s a pretty boring topic but if anyone has any real world experience of this…

STW, yesterday.

http://singletrackworld.com/forum/topic/excel-help-removing-password

Here.

https://en.wikipedia.org/wiki/Microsoft_Office_password_protection

It’s worth noting that just using Office 2013 isn’t sufficient; you need to make sure you’re saving documents in the newest formats.

In a Domain environment there’s a mechanism for Administrators to retrieve lost passwords (“DocRecrypt”) so it depends who you’re trying to keep them safe from.

A password cracking tool off t’web will almost certainly be a brute force / dictionary attack, so if your password is “password” they’ll probably work quite well. With a complex password they’ve got buckley’s.

I can only really speak for Excel passwords – they’re not good. Dependant on the password type & file type a brute force can be run pretty quickly, memory bit substitions can be done or they can be edited manually by unpacking an .xlsx using 7zip or similar into it’s constituent .xml files.

Are you talking about worksheet protection passwords, or file-level password encryption? Very different things.

Depends on whether they’ve been encrypted – if not then file-level is silly easy

Not sure about later versions but always used to be very basic and easy to crack.

What are you trying to do anyway?

Are you looking to keep documents encrypted on a particular device? In which case encrypting the whole file system is a better solution. Bitlocker in Windows for example, although it’s Pro edition normally but some Win 8.1 and 10 PCs ship with hardware based device encryption enabled by default, mainly tablets and some laptops, in which case it might be already encrypted.

If you want to have the file encrypted wherever it goes inc email, then some other file based encryption. Lots of options using container files that encrypt the contents. I’m no expert on them though and some may be easier to crack than others.

I’ve been asked to send some information via email. I have suggested password protecting the document in Word and sending via email. The password will be sent by SMS. Passwords will be 8 character, 1 upper case, 1 lower case, 1 numerical and 1 special minimum.

Not sure about later versions but always used to be very basic and easy to crack.

They did. But times have changed since Office 95.

Password-protected worksheet content is easy enough to get around. But if you’re claiming you can break Office’s 128-bit AES file encryption ‘trivially’ then you’re about to become very, very wealthy.

I’ve been asked to send some information via email.

Make a test document with lorem ipsum, choose ‘encrypt with password’ when saving it, and post it up here. I’d like to see how anyone asserting it’s easy to crack actually gets on.

Passwords will be 8 character,

That’s your weak point if anything, you need a longer password (and you need to not tell people how long it is). If it needs to be properly secure I’d be looking at 12 chars as an absolute minimum.

Cougar – Moderator
They did. But times have changed since Office 95.

Password-protected worksheet content is easy enough to get around. But if you’re claiming you can break Office’s 128-bit AES file encryption ‘trivially’ then you’re about to become very, very wealthy.

I’ve just not looked into it for a long time as used to be very vulnerable. Most I’ve worked with would just blank rule out Office’s own encryption as an option, but yeah based on lost trust from the early days I think.

Just looked and according to Wikipedia, if you can trust it, Office 2007 introduced the 128bit AES and only 2007 onwards are considered secure. Earlier versions are crackable (and I still come across companies that use Office XP! – a lot more use 2007 still).

https://en.wikipedia.org/wiki/Microsoft_Office_password_protection

While not crackable, it seems easily brute forceable with weak passwords. The password spec from OP sounds just that.

Anyway, email, showing how out of date I am in this area, used to be PGP was the thing to use to send things encrypted. Maybe still viable. I just remember it was a right faff to set up.

Not my area of expertise, but wouldn’t it be more secure to use a shared Dropbox folder or to send a Dropbox link by SMS instead of emailing the file?