Understanding Excel’s Password Security Methodology
How Secure is Excel?
There is not a great deal of documentation out there about how Excel handles password security, however concerns always seem to be brought up about how safe files really are while using the built-in password protection. I am in no way an expert in security or encryption but thanks to a little research, I believe I can fill you in on how Excel stores your passwords and if your worksheet and workbook level protections are really safe.
Microsoft intentionally designed the protection of its Excel worksheet and workbook levels (accessed via the Review tab in the Excel Ribbon) in order to provide a backdoor to models or files that analysts may have accidentally been locked out of. By taking this route, they made the decision not to make the encryption for those levels very strong. However, Microsoft did make the Excel file level protection extremely strong and if this password were to be lost, the file would be rendered useless.
Digging Into Excel’s OpenXML Code
Many don’t know this, but every individual Excel file is really a .zip file. Don’t believe me? Go to one of your Excel files on your computer and change its extension from .xlsx to .zip. Magically your Excel file is transformed into a bunch of files with lots and lots of computer (OpenXML) code! This is important to know as this is where you can dig into how an Excel file is made up. Likewise, if you understand how these zipped files are written and organized, you can determine settings, data, and even password information made by the user who created the Excel file. I won’t go into detail on where to find the password information however I will show you an example of how the code is written in both Excel 2007-2010 and in the more secure Excel 2013 version.
What Are Hashes?
Here’s a fun fact: Excel does not actually store the password you input! Like most password protection software out there, the Excel Application stores a string of data called a Hash. A Hash is the output from a Hash Algorithm (complicated mathematical equation) that turns any user-generated password into a jumbled-up string of (appearingly) meaningless characters. The below XML code was inside a workbook where I used the password “SpreadsheetGuru” to protect a blank worksheet.
Notice that the phrase “SpreadsheetGuru” is nowhere to be found. However, there is a small 4 letter password within the code. This is Excel’s hash value that was created from the input of SpreadsheetGuru into its Hash Algorithm. Since Microsoft chose to make the hash length so small, there are only a limited number of combinations the hash can be (the hash is made of up of only numerical and alphanumerical characters). This means that there are multiple passwords that can unlock a worksheet protected with the password SpreadsheetGuru. For example, you could protect a spreadsheet with the password SpreadsheetGuru but unlock it with the password AABBAAAABAB@. These two phrases output the same hash in Excel Hashing Algorithm. Essentially this means that there are multiple passwords that can unlock an Excel 2010 or prior worksheet. Below is another illustration of how simplistic the password protection is prior to Excel 2013.
To determine a useable password for a locked Excel worksheet or workbook, a hacker can use a Brute-Force attacking program to cycle through all the possible hash values. Since the hashes are so short, there is a very manageable amount combinations the program would need to test on the desired file. With today’s computers, this would only take a few seconds and can easily be accomplished with an Excel VBA macro. Needless to say, if you are wanting to protect sensitive information or intellectual property, Excel workbook and worksheet protection is probably not the best solution to use within versions prior to 2013.
Excel 2013 Increased Its Security
With the release of Excel 2013, Microsoft made a more considerable effort to increase the protection of its workbooks and worksheets. Take a look at what the Excel 2013 OpenXML code looks like in comparison to the OpenXML code shown for the Excel 2007 version while using the same password: SpreadsheetGuru.
Notice that the Hash is much longer and more complex than the four-character-long string in prior versions of Excel. This is great news, as the added complexity means every unique password you can possibly enter in, no longer shares a hash value with other passwords.
Notice also that the Microsoft developers added an additional variable to the password information, called a Salt Value. Salt adds another layer of protection by adding a meaningless string of characters to the user-generated password. Look at the diagram below and see how adding a salt value ensures a more complex password entering into the Hash Algorithm.
Microsoft took its Salt value one step further and made it variable so that every time a password is entered by a user, the stored Salt value is different. For example, I protected two spreadsheets in the same Excel 2013 workbook with the password SpreadsheetGuru. Notice below that both sets of code have different Salt values which ended up giving the two spreadsheets different hash values. If the hacker does not know the unique Salt value, it is much harder to reverse engineer which password was generated by the user. By incorporating a Salt value, a hacker’s computation goes from processing thousands of combinations to BILLIONS of combinations. This provides a much more secure way of protecting your spreadsheet work via Excel 2013.
Understanding How To Control Your Password Protection Strength
This is probably the most important part of this article as it is vital that you understand how secure your workbooks and worksheets are. While Excel’s password security is still relatively simple (from an experienced computer hacker’s point of view) to break, there is now a huge gap in the level of security provided by versions of Excel prior to 2013 versus the versions following 2010.
The strength of security depends on which version of Excel you place the protection NOT the version it is created.
For example, if you created a password-protected worksheet in Excel 2007 and then unlocked & re-locked the same spreadsheet in Excel 2013, your worksheet would now have Excel 2013 level password protection (with the longer Hash and Salt Values). This scenario would obviously work in your favor as Excel 2013 security is much harder to get past. However, the opposite could happen where you decrease the protection strength of a file by re-protecting an Excel 2013 file inside of Excel 2010. This would place your protection in grave danger as there are a lot of free macros floating around out there that can easily break into an Excel 2010 or 2007 protected file. If you have sensitive files that were protected in Excel 2010 or earlier you may want to go back and re-protect them in Excel 2013 to obtain this higher level of security for your workbooks.
Other Resources You Should Check Out
There is a lot of good information out there about password encryption and it’s actually pretty interesting. Here are a few articles I used in my own research to help me better understand how all of this stuff works.
- Sheet Passwords in Excel 2013: Spiced with Salt!
- Salted Password Hashing – Doing it Right
- Excel Worksheet & Workbook passwords
Learn my best Excel chart design hacks. These will turn your ugly charts into professionally crafted graphics, leaving your boss speechless!!!
Why Does Excel Say Cell Values Are Not Equal When They Are?
What's Wrong With Excel? I try to get on the Mr. Excel forums a few times a week and this...
How To Create Excel Progress Bar Charts (Professional-Looking!)
Creating A Progress Bar In Excel Progress Bars are simple graphics that can be quite visually powerful by instantly providing...
Chris is a finance professional and Excel MVP recognized by Microsoft since 2016. With his expertise, he founded TheSpreadsheetGuru blog to help fellow Excel users, where he shares his vast creative solutions & expertise. In addition, he has developed over 7 widely-used Excel Add-ins that have been embraced by individuals and companies worldwide.