Microsoft Office password protection is a security feature for protecting Microsoft Office documents (Word, Excel, PowerPoint) with user-provided passwords. In Office 2007, it uses strong encryption; previous versions use weaker systems and are not considered safe.
The 128-bit AES lock protection used in the newer Office 2007-2010 remains secure. In fact, the distributed RC5.net project has been trying to root out the 72-bit RC5 key since 2002, and in 2013 has not managed to do so. Additionally, even using any known pause (which speeds up a brute force attack by a factor of about four) would require millions of typical computers a year or more to crack a 128-bit AES key with sufficient length and complexity.
The 40-bit RC4 key protection used in older versions of Office 97-2003 can usually be passed with password hacking software.
Video Microsoft Office password protection
Jenis
Microsoft Office applications offer the use of two main groups of passwords that can be set to documents depending on whether they encrypt a password-protected document.
Passwords that do not encrypt password protected documents have different security level features for each of the Microsoft Office applications as mentioned below.
- In Microsoft Word passwords limit the modification of all documents.
- In Microsoft Excel passwords limit workbook modifications, worksheets in it, or individual elements in the worksheet.
- In Microsoft PowerPoint passwords limit the modification of the entire presentation.
Due to the lack of document encryption, all of the above mentioned passwords can not reliably protect documents from hackers. Most password hacking software can remove such protection from password protected documents in a very short period of time.
Passwords that encrypt documents also restrict users from opening documents. You can set this type of password in all Microsoft Office applications. If a user fails to enter the correct password into the field that appears after an attempt to open a password-protected document, view and edit the document will not be possible. Because password-protected encryption documents open it, the hacker needs to decrypt the document to gain access to its content. To provide increased security, Microsoft has consistently increased the power of Office encryption algorithms.
Maps Microsoft Office password protection
History of Microsoft Encryption password
In Excel and Word 95 and earlier editions we use a weak protection algorithm that converts passwords into 16-bit keys. Hacking software is now available to locate 16-bit keys and decrypt password protected documents instantly.
In Excel and Word 97 and 2000 , the key length is increased to 40 bits. This protection algorithm is also currently considered weak and there is no difficulty to hack the software.
Default protection in Office XP and 2003 is not changed, but the opportunity to use custom protection algorithms is added. Selecting a Non-Standard Cryptographic Service Provider allows increasing the length of a key so that the key used to encrypt a document can not be found. However, the password retention program can include many random passwords at the same speed, so using CSP does not slow down password recovery at all. Weak passwords can still be recovered quickly enough even though a special CSP is active.
In Office 2007 (Word, Excel, and PowerPoint) , protection is significantly improved because a modern protection algorithm called Advanced Encryption Standard is used. There is currently no software that can solve this encryption. With the help of the SHA-1 hash function, the password is extended to a 128-bit key 50,000 times before opening the document; as a result, the speed of password recovery is greatly reduced.
Excel and Word 2010 are still using AES and 128-bit keys, but the number of SHA-1 conversions has doubled to 100,000 further reducing password recovery speed.
Office 2013 uses 128-bit AES, but hash algorithm has been updated to SHA-2 class, and it is SHA-512 by default.
Excel Worksheet and Macro protection
The protection for worksheets and macros is certainly weaker than that for the entire workbook because the software itself should be able to display or use it. In Excel it is very weak, and the equivalent password can easily be found from the ABABABABABAx form where the first 11 characters are A or B and the last one is ASCII characters.
Password recovery attack
There are a number of attacks that can be used to find passwords or remove password protection from Excel and Word documents.
Deletion of passwords can be done with the help of precomputation tables or decryption attacks guaranteed.
Attacks that target the original password set in Microsoft Excel and Word include dictionary attacks, rule-based attacks, brute-force attacks, mask attacks, and statistical-based attacks.
The efficiency of an attack can be greatly improved if one of the following ways is implemented: multiple CPUs (distributed attacks), GPGPU (only applicable to Microsoft Office 2007-2010 documents) and cloud computing. Due to weak passwords, at this time, cloud computing facility is able to open as much as ca. 80% of files stored in Office 2007-2010 format. A password of sufficient length and complexity usually can not be roughly coerced.
Office 2013 introduces SHA-512 hashes in the encryption algorithm, making brute-force attacks and rainbow tables slower.
There is special software designed to recover lost Microsoft Office passwords on pre-AES encryption.
Ultimately, the security of a password-protected document depends on the user choosing a password with sufficient complexity. If the password can be determined by guesswork or social engineering, the underlying cipher is unimportant.
References
Source of the article : Wikipedia