[diggeryo]

Hi,

I have a couple of Office 2007 files that are password protected. One is a Word file and the other is an Excel file. I have "password to open" checked, not "password to modify."

My question is-- I'm concerned about how secure Office 2007 password protection really is. Obviously, anyone can attempt to guess my password, but short of being able to guess the correct password, how easy would it be for someone to break or circumvent the Office 2007 password protection if they got a hold of my files?

I'm pretty sure I remember reading somewhere that Office password protection can be broken rather easily, though I can't remember where I read that. I'm not really concerned if someone physically steals my computers; that type of theif most likely wouldn't know how to break any type of password protection.

What I'm more concerned about is if I somehow get some sort of trojan on my computer, and the hacker is able to upload/access my files. Would it be very easy for this type of person to circumvent password protection in an Office document?

If so, can you suggest another type of more secure proteaction for Office files? (I was thinking of creating a TrueCrypt volume and storing only these two files there, but then I run into the same problem--if I have a trojan on my computer, a hacker could easily upload my two Office files while I have the TrueCrypt volume open.)

thank you for your attention,
mike.

[Advertisements]

Office password protection isn't particularly difficult to break, a simple dictionary based attack is usually enough. Depending on the length of the password used and the speed of the computer being used it can potentially be cracked in less than an hour.

Microsoft UK's product publishing manager said in 2004 in an article on ZDNet: "Word's password protection is useful for collaborating with colleagues, it is not a security feature and should not be relied upon as such. If [users] are using it as a security feature then that is not correct. If you are looking for secure encryption you should not be using this feature. We have lots of customers out there using password protection, but the reason they are doing that is to stop general users changing the text or whatever--and it works perfectly well for that."

A security regime is only as good as the weakest link. If you own a business with state-of-the-art alarm, dialler, CCTV monitoring, etc, and you go home one night and forget to lock the front door, then none of the aforementioned security solutions will stop stuff being nicked, as the door was the weakest link, having been left open all night.

[Neil Jones]

Office password protection isn't particularly difficult to break, a simple dictionary based attack is usually enough. Depending on the length of the password used and the speed of the computer being used it can potentially be cracked in less than an hour.

Microsoft UK's product publishing manager said in 2004 in an article on ZDNet: "Word's password protection is useful for collaborating with colleagues, it is not a security feature and should not be relied upon as such. If [users] are using it as a security feature then that is not correct. If you are looking for secure encryption you should not be using this feature. We have lots of customers out there using password protection, but the reason they are doing that is to stop general users changing the text or whatever--and it works perfectly well for that."

A security regime is only as good as the weakest link. If you own a business with state-of-the-art alarm, dialler, CCTV monitoring, etc, and you go home one night and forget to lock the front door, then none of the aforementioned security solutions will stop stuff being nicked, as the door was the weakest link, having been left open all night.

[diggeryo]

Thanks for the reply, Neil. I've been giving alternative solutions some thought. As I said in my original post, I don't think TrueCrypt would be an option, as someone could easily steal my files when I have the TrueCrypt volume mounted.

What are your thoughts, however, on zipping my files into a password protected/encrypted ZIP file with either "ZIP2.0 compatible encryption" or "256-bit AES encryption?" Would that offer more protection than a password protected Office document, or would it be just as easy to break into that if someone got a hold of my ZIP file?

And if that is a better solution, is one of those types of encryption better than the other? (Those are the only two offered by my current compression program, jZip.)

thanks,
mike.

Edited by diggeryo, 06 February 2009 - 02:28 PM.

[Neil Jones]

In theory anything that's encrypted with some sort of key or whatever is liable to being cracked in some form.

Most trojans these days are more interested in shoving pop-ups in your face and monitoring your keyboard inputs for various websites in order to get card details and what not. They are very unlikely to be interested in letters to Uncle Fred that you wrote three years ago asking him what colour he painted the front door in the end.

You are very unlikely to be literally hacked on your own computer. As of June 2008, there were 1,463,632,361 internet users. You are more likely to win the state lottery. If you use up to date internet solutions and don't do silly things like click on Phishing emails or keep bank details in plain text format, you should be fine. Though it may be a good idea to keep anything important exclusively on an external hard drive and then only plug it in when you need it.