|
We were all been resigned to the fact that our spreadsheets could be stolen quickly and easily for so very long. Now, everything has changed. There is a next generation solution that works in every Excel version since 2007. |
The Protection Upgrade add-in improves worksheet & workbook security in Office and let's you sleep better at night! Something has been missing from Excel from the very start (nineties) - dependable security.
Until Office 2010, Excel used an outdated 16-bit hash algorithm to protect our worksheet and workbook passwords, as demonstrated in one of our protection articles. Due to the short length of the password hash, workbook structure and worksheet protection can be removed in seconds by a brute force attack on the hashed passwords used in Excel 2007-2010, even with simple VBA code.
In 2013, Microsoft decided to fix this security loophole. Office silently introduced security changes in order to strengthen Excel worksheet protection. Excel 2013 (and later versions) uses a SHA-2 class, SHA512 algorithm, to calculate the hash values for sheet passwords. These 'salted' hashes cannot be cracked within a reasonable amount of time using the brute force methods applicable up to Excel 2010.
Although, there is an alternative technique employed by Password Remover add-ins to remove strong protection from closed Excel files, it is applicable neither to binary XLSB files, nor to OpenXML files encrypted with a file-open password.
Until Office 2010, Excel used an outdated 16-bit hash algorithm to protect our worksheet and workbook passwords, as demonstrated in one of our protection articles. Due to the short length of the password hash, workbook structure and worksheet protection can be removed in seconds by a brute force attack on the hashed passwords used in Excel 2007-2010, even with simple VBA code.
In 2013, Microsoft decided to fix this security loophole. Office silently introduced security changes in order to strengthen Excel worksheet protection. Excel 2013 (and later versions) uses a SHA-2 class, SHA512 algorithm, to calculate the hash values for sheet passwords. These 'salted' hashes cannot be cracked within a reasonable amount of time using the brute force methods applicable up to Excel 2010.
Although, there is an alternative technique employed by Password Remover add-ins to remove strong protection from closed Excel files, it is applicable neither to binary XLSB files, nor to OpenXML files encrypted with a file-open password.
Features for Excel 2007-2010 & Perpertual Licenses
|
Simply speaking, upgrade your worksheet & workbook structure protection to the latest secure hashing algorithm, as used in Office 365 (Excel 2013 or later subscription versions). |
In macro-enabled files, safeguard the stronger protection by using known VBA techniques to prevent attacks by password removal software. It is imperative to lock in any such VBA code with a custom VBA protection scheme, such as Unviewable+ VBA.
The Office versions that use the outdated hashing algorithm are:
The Office versions that use the outdated hashing algorithm are:
- Office 2010 and earlier
- Office 2013 or 2016 perpetual licenses (one-time purchase)
Excel 2013 & later versions use salted password hashes that CANNOT be cracked by VBA brute force attacks
Features for Office 365 Users
|
Have you noticed that sheet protection VBA methods used to run much FASTER in Excel 2007 and 2010? That's because the new complex hash algorithm takes longer to compute in Office 365 subscription versions of Excel 2013 & 2016. |
For single sheet manual protection operations the delay is barely noticeable, but when add-ins or macros unlock/lock sheets in bulk, the delay can be significant.
Microsoft claims that the performance issue is by design and it is an acceptable price to pay for the increased security, as discussed in what is new in Excel 2013. However, we have discovered a workaround!
For the technically minded, the major part of the delay is caused by the iterations of the hashing function, which by default in Office is set to 100,000. Think of it as a code loop than runs 100K times. So, how about if we can make this loop run just once? It would definetly speed-up calculations. The cryptographic term for the iterations is called Spin Count. Set it to 1 and presto, worksheet unprotection becomes blazing fast, as in the good old days!
Obviously, such a low SpinCount decreases security during brute force attacks. But does it really matter in practical terms (think in seconds/minutes/hours, not days/years/centuries)? We think no, as discussed in this StackOverflow article, if you use a strong, long password and not a typical, easy to guess one. After all, most add-ins do not use brute-force attacks anymore to crack strong Excel 2013 (or later versions) worksheet passwords.
To summarize, you can select any value for the Spin Count iterations during worksheet protection, other than the default 100K. Chose 1 for fast unprotection (least secure) or the extreme 10 million for annoying slow performance, yet maximum security.
These values are file specific and do not modify Office options or anything else within your Office installation.
Microsoft claims that the performance issue is by design and it is an acceptable price to pay for the increased security, as discussed in what is new in Excel 2013. However, we have discovered a workaround!
For the technically minded, the major part of the delay is caused by the iterations of the hashing function, which by default in Office is set to 100,000. Think of it as a code loop than runs 100K times. So, how about if we can make this loop run just once? It would definetly speed-up calculations. The cryptographic term for the iterations is called Spin Count. Set it to 1 and presto, worksheet unprotection becomes blazing fast, as in the good old days!
Obviously, such a low SpinCount decreases security during brute force attacks. But does it really matter in practical terms (think in seconds/minutes/hours, not days/years/centuries)? We think no, as discussed in this StackOverflow article, if you use a strong, long password and not a typical, easy to guess one. After all, most add-ins do not use brute-force attacks anymore to crack strong Excel 2013 (or later versions) worksheet passwords.
To summarize, you can select any value for the Spin Count iterations during worksheet protection, other than the default 100K. Chose 1 for fast unprotection (least secure) or the extreme 10 million for annoying slow performance, yet maximum security.
These values are file specific and do not modify Office options or anything else within your Office installation.
How To Use This Add-in
- Protect worksheets, chart sheets or workbook structure using Excel's ribbon controls, protection add-ins or your own VBA code. Use of a long, complex password is highly recommended. You can keep track of your passwords using our free printable password log template.
- When using the Worksheet.Protect method, set UserInterfaceOnly to True to protect the user interface, but not macros. If this argument is omitted, protection applies both to macros and to the user interface.
- Save your changes and close the file.
- Select closed file(s) from the Protection Upgrade add-in menu. You can select to upgrade one or several files at once.
- Only sheets that are found protected inside a file will be upgraded by the add-in.
Protection Upgrade Excel add-in powered by the Ribbon Commander (RC) framework
Frequently Asked Questions
Will the strong worksheet protection persist, even if the file is opened in Excel 2007-2010?
Yes, unless a worksheet is unprotected with a valid password and re-protected in Excel 2007-2010. It is imperative to upgrade protection in files destined for distribution, after protecting sheets or workbook structure in Office 2007-2010.
How can I upgrade protection in XLSB binary files?
Yes, unless a worksheet is unprotected with a valid password and re-protected in Excel 2007-2010. It is imperative to upgrade protection in files destined for distribution, after protecting sheets or workbook structure in Office 2007-2010.
How can I upgrade protection in XLSB binary files?
- Save your file in XLSM format and close it from Excel.
- Upgrade protection in the XLSM file using this Ribbon Commander add-in.
- Open the XLSM file and save it in binary XLSB format. You discard the temporary XLSM file copy
Download
For Excel 2007 or later. Powered by the Ribbon Commander framework
