Microsoft Office password protection

From Wikipedia, the free encyclopedia
Jump to: navigation, search

The Microsoft Office password protection is a security feature to protect Microsoft Office (Word, Excel, PowerPoint) documents with a user provided password. Word and Excel 95 used a 32-bit key protection algorithm, that was later enhanced up to 40 bits in Excel 97 and was continued in further versions, until a 128-bit key Advanced Encryption Standard (AES) protection algorithm was introduced in Office 2007.

Currently, the 40-bit key protection used in Office 97–2003 can be easily cracked by the password-hacking software. The 128-bit key AES protection employed in Office 2007–2010 can still be considered as a relatively secure one. At the moment, however, cloud computing facilities are capable of unlocking a substantial number of the files saved in the Office 2007–2010 format.[citation needed]


Microsoft Office applications offer the use of two main groups of passwords that can be set to a document depending on whether they encrypt a password-protected document or not.

Passwords that do not encrypt a password-protected document have different security level features for each of Microsoft Office applications as mentioned below.

  • In Microsoft Word[1] passwords
    • restrict modification of the entire document.
  • In Microsoft Excel[1] passwords
    • restrict modification of the workbook, a worksheet within it, or individual elements in the worksheet
  • In Microsoft PowerPoint[1] passwords
    • restrict modification of the entire presentation.

These password types are widely believed to be created for Microsoft Office document sharing rather than preventing other people from getting access to secret data that the document may contain.[2] Because of the lack of document encryption, all the passwords mentioned above cannot reliably protect a document from a hacker. Most password-cracking software can remove such protection from a password-protected document in very little time.

The password that encrypts a document also restricts the user from opening the document. It is possible to set this type of password in all Microsoft Office applications. If a user fails to enter a correct password to the field which appears after an attempt to open a password-protected document, viewing and editing the document will not be possible. Due to the encryption of a document protected by a password to open it, a hacker needs to decrypt the document to get access to its contents. To provide an improved security, Microsoft has been consistently enhancing the Office encryption algorithm strength.

History of Microsoft Encryption password[edit]

In Excel and Word 95 and prior editions a weak protection algorithm is used that converts a password to a 16-bit key.[3] Currently hacking software are readily available to find a 16-bit key and decrypt the password-protected document instantly.[4]

In Excel and Word 97 and 2000 the key length was increased to 40 bits.[3] This protection algorithm is also currently considered to be weak and presents no difficulties to hacking software.

The default protection in Office XP and 2003 was not changed, but an opportunity to use a custom protection algorithm was added.[3] Choosing a non-standard Cryptographic Service Provider allows increasing a key length so that a key which is used to encrypt a document can’t be found. However, password-cracking programs can enter multiple random passwords with the same speed, so use of CSPs does not slow down password recovery at all. Weak passwords can still be recovered fast enough even if a custom CSP is on.

In Office 2007 (Word, Excel and PowerPoint), protection was significantly enhanced since a modern protection algorithm named Advanced Encryption Standard was used.[3] At present there is no software that can break this encryption. With the help of SHA-1 hash function, a password is converted into a 128-bit key 50,000 times before document opening, and because of that, password recovery speed was vastly reduced.

Excel and Word 2010 still employ AES and a 128-bit key, but the number of SHA-1 conversions has doubled to 100,000[3] further reducing password recovery speed.

Password recovery attacks[edit]

There are a number of attacks that can be employed to find a password or remove password protection from Excel and Word documents.

Password removal can be done with the help of precomputation tables or a guaranteed decryption attack.

Attacks that target the original password set in Microsoft Excel and Word include dictionary attack, rule-based attack, brute-force attack, mask attack and statistics-based attack.

The efficiency of attacks can be considerably enhanced if one of the following means is applied: multiple CPUs (distributed attack), GPGPU[5] (applicable only to Microsoft Office 2007–2010 documents) and cloud computing. At the moment, cloud computing facilities are capable of unlocking as many as ca. 80% of the files saved in the Office 2007–2010 format.[citation needed]

There is specialized software designed to recover lost Microsoft Office passwords.


  1. ^ a b c "Password protect documents, workbooks, and presentations - Support -". Retrieved 2012-12-26. 
  2. ^ "Office security basics - Word -". Retrieved 2012-12-26. 
  3. ^ a b c d e "Microsoft Office File Format Documents". Retrieved 2012-12-26. 
  4. ^ "Russian Password Crackers: Password Recovery (Cracking) FAQ". Retrieved 2012-12-26. 
  5. ^ "GPU estimations". 2012-06-22. Retrieved 2012-12-26.