Section 6.3.Password Protect and Encrypt Workbooks

6.3. Password Protect and Encrypt Workbooks

Passwords are a simple way to protect sensitive data in a workbook. You can use passwords to encrypt a workbook to provide added security. Encryption prevents hackers from being able to read your workbook by disassembling the file in some way.

6.3.1. How to do it

To add a password to a workbook in Excel:

1. Choose Save As from the File menu. Excel displays the Save As dialog box.

2. On the Save As dialog box, click Tools General Options. Excel displays the Save Options dialog box (Figure 6-5).

   Figure 6-5. Adding a password to a workbook

   
   
   

3. Enter passwords in the Password to open and/or Password to modify text boxes and click OK. To create a workbook that everyone can read but only password holders can edit, set Password to modify and leave Password to open blank.

4. Excel prompts you to confirm the passwords entered in the previous step.

To add encryption to a workbook:

1. Click the Advanced button after Step 2 above. Excel displays the Encryption Type dialog box (Figure 6-6).

2. Select an encryption type from the listed encryption providers, choose an encryption key length, and click OK.

3. Proceed with setting the workbook password.

Figure 6-6. Adding encryption to a workbook

The encryption providers you have installed may vary depending on your location. Some encryption providers are not available outside of the United States, so you will want to take that into consideration if you are distributing encrypted files internationally. The longer the encryption key, the harder it is for a hacker to decrypt data. All software-based encryption such as this is potentially reversible without the key.

6.3.2. How secure are Excel Passwords?

It depends.

Encrypting a workbook makes it very difficult to extract passwords from a workbook by peeking inside the file in some way. However, Excel does leave passwords open to guessing attacks. In short, you can write a macro to call the Open method repeatedly with various passwords until you find one that works.

That's because Excel doesn't lock out attempts after a certain number of wrong passwords they way most networks do. Therefore, Excel passwords are only as good as their complexity.

For example, a four-character all-lowercase workbook password takes about 40 minutes to guess using brute-force techniques on my 2.0 Ghz machine. By extrapolation, a mixed-case four-character password would take over 10 hours and a six-character password using any valid character (letters, numbers, or symbols) would take 883 years.

That sounds pretty secure, but remember this is just using brute-force techniquesstarting at Chr(33) and working through the valid character set. There are many ways to optimize guessing that reduces these times significantly. The controlling factors are how many attempts are made before guessing correctly and how long it takes Excel to run the Open method and return an error if the guess is wrong. Just for example, the Excel Key service on the Web promises password-recovery in four to seven days, regardless of password length.

These same guessing techniques can be applied to password-protected items within a workbook, such as worksheets. It is, in fact, much easier to guess the password for a protected worksheet because the Unprotect method returns an error five times faster than the Open method.

So what should you do? Here are some recommendations:

• Use strong passwords; strong passwords are at least eight characters long and contain letters, numbers, and symbols.

• Encrypt password-protected files.

• Keep passwords secret; this is obvious, but it is also where most security breaches occur.

• Use Permissions to limit access to the file based on user identities rather than, or in addition to, passwords and encryption.

Permissions or other identity-based approaches are really much better at securing data than password-based approaches.

6.3.3. What about...