Microsoft Office Password Protection

Word, Excel, PowerPoint) to be protected with a user-provided password.

There are two types of passwords that can be set to a document:

• A password to encrypt a document restricts opening and viewing it. This is possible in all Microsoft Office applications. Since Office 2007, they are hard to break if a sufficiently complex password was chosen.^{[citation needed]} If the password can be determined through social engineering, the underlying cipher is not important.

• Passwords that do not encrypt but restrict modification and can be circumvented.
  • In Word and PowerPoint the password restricts modification of the entire document.
  • In Excel passwords restrict modification of the workbook, a worksheet within it, or individual elements in the worksheet.

Weak encryptions

In Excel and Word 95 and prior editions a weak protection algorithm is used that converts a password to a 16-bit verifier and a 16-byte XOR obfuscation array key. Hacking software is now readily available to find a 16-byte key and decrypt the password-protected document.

Office 97, 2000, XP and 2003 use RC4 with 40 bits. The implementation contains multiple vulnerabilities rendering it insecure.

In Office XP and 2003 an opportunity to use a custom protection algorithm was added. Choosing a non-standard Cryptographic Service Provider allows increasing the key length. Weak passwords can still be recovered quickly even if a custom CSP is on.

AES since Office 2007

In Office 2007, protection was significantly enhanced since a modern protection algorithm named Advanced Encryption Standard was used. At present^[when?], there is no software that can break this encryption. With the help of the SHA-1 hash function, the password is stretched into a 128-bit key 50,000 times before opening the document; as a result, the time required to crack it is vastly increased, similar to PBKDF2, scrypt or other KDFs.^{[citation needed]}

Office 2010 employed AES and a 128-bit key, but the number of SHA-1 conversions doubled to 100,000.

Office 2013 uses 128-bit AES, again with hash algorithm SHA-1 by default. It introduces SHA-512 hashes in the encryption algorithm, making brute-force and rainbow table attacks slower.^{[citation needed]}

Office 2016 uses, by default, 256-bit AES, the SHA-2 hash algorithm, 16 bytes of salt and CBC (cipher block chaining).

Attacks that target the password include dictionary attacks, rule-based attacks, brute-force attacks, mask attacks and statistics-based attacks. Attacks can be sped up through multiple CPUs, also in the cloud, and GPGPU (applicable only to Office 2007-10 documents).^{[citation needed]}

The protection for worksheets and macros is necessarily weaker than that for the entire workbook, as the software itself must be able to display or use them.^{[citation needed]}

For XLSX files that can be opened but not edited, there is another attack. As the file format is a group of XML files within a ZIP; unzipping, editing, and replacing the workbook.xml file (and/or the individual worksheet XML files) with identical copies in which the unknown key and salt are replaced with a known pair or removed altogether allows the sheets to be edited.^{[citation needed]}