Why Protecting Sheets In Office 365 Is Slow
Worksheet protection timing in Excel 2010 versus 2013
Office 2013 has silently introduced security changes in order to strengthen Excel protection!
Have you noticed that sheet protection VBA methods run much slower in Excel 2013 and 2016? That's because the new complex hashing algorithm takes longer to compute. For single sheet manual protection operations the delay is barely noticeable, but when add-ins or macros unlock/lock sheets in bulk, the delay can be significant. Read the announcement in MSDN here.
Here is a look inside an OpenXML file saved in Excel 2013:
Have you noticed that sheet protection VBA methods run much slower in Excel 2013 and 2016? That's because the new complex hashing algorithm takes longer to compute. For single sheet manual protection operations the delay is barely noticeable, but when add-ins or macros unlock/lock sheets in bulk, the delay can be significant. Read the announcement in MSDN here.
- Excel 2013 uses a SHA-2 class, SHA512 algorithm, to calculate the hash values for sheet passwords, which cannot be cracked within a reasonable amount of time using the brute force methods applicable up to Excel 2010.
- It is impossible to find multiple passwords that share the same hash value in Excel 2013, as was the case with Excel up to Office 2010 version. So working passwords cannot be recovered.
- Caution: Excel 2007-2016 will become unresponsive (hang), if any old-school password remover add-in attempts to unprotect a sheet protected (with SHA512) in Excel 2013 or 2016 using a VBA brute-force attack.
- The perpetual license version of Office 2013 or 2016 does not use the new hashing algorithm. In case you are not aware, read about the differences between Office 365 and Office 2016.
Here is a look inside an OpenXML file saved in Excel 2013:
Sheet password hashed in Excel 2013 using the strong SHA512 algorithm
Excel versions up-to 2010 used an outdated hashing algorithm. These 16-bit long plain hashes are very easy to hack, so working passwords can be recovered fast.
However, the SHA512 hash algorithm used Excel 2013 is quite secure. One approach to crack hashes are cryptographic lookup and rainbow tables. Excel 2013 prevents such attacks by randomizing each hash with the use of a salt value. So even when the same password is hashed multiple times, the hashes are not the same!
Hashes are randomized with a use of a random string called salt, which does not need to be secret. In cryptography, salt is random data that is used as an additional input (along with the password) to the one-way algorithm that hashes a password.
If you look carefully inside the sheetProtection XML node (image above), you will notice several protection attributes: saltValue, hashValue and algorithmName.
Do you want to protect sheets or workbook structure in a secure way that cannot be hacked by a VBA brute force attack running in Excel 2007-2010?
Protect sheets in Excel 2013 or 2016, use the workbook in Excel 2007-2010, but do not unprotect or protect these sheets again in any version earlier than 2013.
A SHA512 secure hash along with a salt value is stored for every sheet protected in Excel 2013. This cryptographic information is maintained while the workbook is used in Excel 2007-2010, as long as sheets are not unprotected. If a sheet is protected again in Excel 2007-2010, the secure SHA512 hash will be replaced by a weak, outdated hash, which is easy to crack using VBA code circulating around the web.
To summarize:
To ensure sheets are protected with the highest level of security offered by Excel, protect them in Excel 2013 or later, even if the workbooks were originally created or are being used in Excel 2007-2010.
However, the SHA512 hash algorithm used Excel 2013 is quite secure. One approach to crack hashes are cryptographic lookup and rainbow tables. Excel 2013 prevents such attacks by randomizing each hash with the use of a salt value. So even when the same password is hashed multiple times, the hashes are not the same!
Hashes are randomized with a use of a random string called salt, which does not need to be secret. In cryptography, salt is random data that is used as an additional input (along with the password) to the one-way algorithm that hashes a password.
If you look carefully inside the sheetProtection XML node (image above), you will notice several protection attributes: saltValue, hashValue and algorithmName.
Do you want to protect sheets or workbook structure in a secure way that cannot be hacked by a VBA brute force attack running in Excel 2007-2010?
Protect sheets in Excel 2013 or 2016, use the workbook in Excel 2007-2010, but do not unprotect or protect these sheets again in any version earlier than 2013.
A SHA512 secure hash along with a salt value is stored for every sheet protected in Excel 2013. This cryptographic information is maintained while the workbook is used in Excel 2007-2010, as long as sheets are not unprotected. If a sheet is protected again in Excel 2007-2010, the secure SHA512 hash will be replaced by a weak, outdated hash, which is easy to crack using VBA code circulating around the web.
To summarize:
- The password a of sheet protected using Excel 2013 cannot be hacked using a brute force attack, even, if the workbook is opened in Excel 2007-2010!
- A workbook with a sheet protected in Excel 2013 or 2016 will only be vulnerable again to a brute force attack, if it is saved after the sheet has been unprotected & re-protected in Excel 2007-2010.
- Saving a 2013 workbook as a 2003 file, removes the strong sheet protection hashes set by Excel 2013, as the XLS file format is not compatible with the OpenXML file standard! Obviously any features not supported by Excel 2003 will be lost or degraded as well.
To ensure sheets are protected with the highest level of security offered by Excel, protect them in Excel 2013 or later, even if the workbooks were originally created or are being used in Excel 2007-2010.
How To Upgrade Worksheet Protection In Excel
|
|
FAQs
I am a line manager. I have protected sheets in Excel 2013 and sent the the .xlsx workbook to several analysts, who have Excel 2007 & 2010 only. Can they use an old-school password hacking add-in (readily available on the internet) to remove sheet protection?
No. The sheet security strength is determined by which version of Excel your OpenXML workbook was protected in. It doesn't matter which Excel version opens the file (2007 or later). Since the sheets were protected in Excel 2013, strong hashes and salt values are present in the workbook, no matter what Excel version the workbook is opened.
Excel will simply hang, if any of the analysts use an old school brute force VBA attack to crack the sheet passwords, while strong salted hashes are present inside the workbook.
I am an analyst, I have protected sheets in Excel 2013 and sent the workbook to a colleague who has Excel 2010 only. We are collaborators and he used the known password to unprotect the sheets and make some changes. Then he re-prortected the sheets. If I understand correctly, a salt-free hash is now stored by Excel 2010 inside the workbook. Since we are serious about security, does he have to send the workbook back to me, so it is unprotected and re-protected in Excel 2013?
Yes, correct. If you are both serious about sheet security you must re-protect sheets in 2013. If you want to prevent people from using VBA unprotection code found in the web, always protect sheets, workbook structure and shared workbooks in 2013 (or later).
The only way Excel 2007 and 2010 know how to protect sheets is with the obsolete, weak SHA1 algorithm, which offers a 16-bit hash (4 characters). This short unsalted hash is easily defeated by several methods such as brute force attacks and hash look-up tables.
I have a Macbook Pro with OS X Yosemite. I purchased Office 365, which has Excel for Mac 2016, so I could have the better worksheet protection that I thought was available from Excel 2013 onwards. However, I have tested this by setting passwords on the worksheet and the workbook, and password breakers from the internet broke the password in a matter of seconds.
We have confirmed your findings. It seems that Excel for Mac 2016 doesn't support the strong password worksheet protection available from Excel 2013 onwards.
No. The sheet security strength is determined by which version of Excel your OpenXML workbook was protected in. It doesn't matter which Excel version opens the file (2007 or later). Since the sheets were protected in Excel 2013, strong hashes and salt values are present in the workbook, no matter what Excel version the workbook is opened.
Excel will simply hang, if any of the analysts use an old school brute force VBA attack to crack the sheet passwords, while strong salted hashes are present inside the workbook.
I am an analyst, I have protected sheets in Excel 2013 and sent the workbook to a colleague who has Excel 2010 only. We are collaborators and he used the known password to unprotect the sheets and make some changes. Then he re-prortected the sheets. If I understand correctly, a salt-free hash is now stored by Excel 2010 inside the workbook. Since we are serious about security, does he have to send the workbook back to me, so it is unprotected and re-protected in Excel 2013?
Yes, correct. If you are both serious about sheet security you must re-protect sheets in 2013. If you want to prevent people from using VBA unprotection code found in the web, always protect sheets, workbook structure and shared workbooks in 2013 (or later).
The only way Excel 2007 and 2010 know how to protect sheets is with the obsolete, weak SHA1 algorithm, which offers a 16-bit hash (4 characters). This short unsalted hash is easily defeated by several methods such as brute force attacks and hash look-up tables.
I have a Macbook Pro with OS X Yosemite. I purchased Office 365, which has Excel for Mac 2016, so I could have the better worksheet protection that I thought was available from Excel 2013 onwards. However, I have tested this by setting passwords on the worksheet and the workbook, and password breakers from the internet broke the password in a matter of seconds.
We have confirmed your findings. It seems that Excel for Mac 2016 doesn't support the strong password worksheet protection available from Excel 2013 onwards.
Disclaimer
The above examples are provided for informational purposes only and to create awareness that protection in Excel may not be a reliable method of securing data. Sheet passwords offer little more than protection against accidental damage or uninformed tinkering.
