Introduction to Excel Security

Preamble:In reformatting and upgrading this site I debated whether to keep the Excel Password Recovery section or not.I don''t want to provide a hacker''s how-to list but do think it important that users and developers know how to protect their work and understand the limitations of Excel''s password protection. In this vein I''ve re-written the Excel Password Recovery pages focussing on Excel Security and ''how to protect Excel spreadsheets'' as opposed to ''how to crack Excel spreadsheets''.I do identify Excel''s weaknesses and how to protect against them, and do link to commercial locksmith services. Excel Protection - Main Points:

• Excel protection is good at protecting formulas and text from accidental corruption
• Excel protection is not good at hiding sensitive data or formulas.
• If a determined user has access to a file then he/she can uncover hidden formulas, hidden text and hidden sheets.
• If you don''t want a user to see confidential information then restrict access to the file.
  - save the file to a restricted access drive, or
  - require a password to open the file.
  - do not hide sensitive data on hidden sheets
• Excel macros can be used to give an additional layer of protection

Excel uses 4 types of passwords.

• Worksheet passwords to prevent changes to cells on worksheets or to data and other items in charts, and to prevent viewing of hidden rows, columns, and formulas.
• Workbook structure passwords to protect the structure of a workbook so that worksheets in the workbook can''t be moved, deleted, hidden, unhidden, or renamed and new worksheets can''t be inserted.
• Workbook access passwords to prevent unathorized users from opening and viewing the workbook.
• VBA passwords to hide and protect VBA macro code.

Worksheet and Workbook Structure PasswordsThe encryption on Worksheet and Workbook structure passwords is extremely weak. Passwords can be cracked in minutes with free software. Even Microsoft acknowledges that worksheet and workbook protection is a ''display'' feature and not a ''security'' feature.Passwords will only stop the casual user and cannot be relied upon as a security feature in distributed applications.Worksheet Access and VBA PasswordsRecovering and removing a password from a protected and closed file is more time-consuming with a lower probability of success.Most recovery software uses a brute-force approach trying every possible combination of letters, numbers and symbols. A more refined approach is the dictionary-attack that only looks for "real" words and ignores nonsense combinations."For example, the fastest program gives about 170,000 password/second on Pentium III/800. To find an 8-character password consisting of lowercase Latin letters and digits you''ll need about 200 days."Brute force and dictionary attacks are appropriate if you are confident that the passwords are under 8 characters, use all letters (no numbers or symbols) and are based on ''real'' words. (Un)fortunately most passwords are not sophisticated, are too short and do not incorporate numbers or symbols.A relatively quicker approach is "key encryption recovery". Because there are fewer encryption keys than letters and symbols (a many to one relationship), fewer combinations have to be searched, and the recovery time can be reduced to under 30 days.Encrypted passwords should be harder to crack but US crypto export regulations limit the key length to 40 bits.You may either purchase the software yourself or use a professional recovery service which will apply multiple dedicated computers to the task reducing turnaround time to 2-14 days.', '