33

Basically the title. For example, how bad is it to store passwords in an Excel sheet protected with a password, instead of storing passwords in Keypass or something else like Zoho Vault? Of course, this sheet would be in a safe place as well: besides the password to open the sheet, an attacker would need the password to access the Google Drive account and a second factor authentication token from Google.

thatgirldm
  • 103
  • 3
Potter
  • 433
  • 1
  • 2
  • 5
  • 8
    A true password manager will protect the user from phishing attacks, whereas a user that copies & pastes a password from a password-protected excel sheet may unwittingly enter their password into a phishing site. See https://bitwarden.com/blog/how-password-managers-help-prevent-phishing/ for more info. – mti2935 Mar 08 '22 at 22:22
  • 6
    Does this answer your question? [Is there a good way to store credentials outside of a password manager?](https://security.stackexchange.com/questions/206090/is-there-a-good-way-to-store-credentials-outside-of-a-password-manager) – ThoriumBR Mar 09 '22 at 00:47
  • 1
    Password is not enough, you need to implement encryption. Safe? Safe is a very relative notion. Also my password manager hides password, I'm not sure how you're gonna safeguard yourself from prying eyes... – user1532080 Mar 09 '22 at 06:40
  • 3
    Very similar: [Storing passwords in access-restricted Google spreadsheets?](https://security.stackexchange.com/q/142546/29280) – Chris H Mar 09 '22 at 12:01
  • 2
    You need to clarify when you say "protected with a password". Are you using cell protection or File/Protect Workbook/Encrypt with Password? Cell protection has no real security, while the Protect Workbook function is not going to be brute forced easily but lacks many of the protections a password manager has, as noted by @adam-katz – throx Mar 09 '22 at 12:20
  • Depends on what you are protecting and what other access control mechanisms are in place, e.g. 2FA. For regular personal usage, why would you? But maybe there is a use case where you want to store some creds offline, e.g. for your descendents or successors at work. – Rich Mar 10 '22 at 21:24
  • You now have all the possible answers, would you be so kind to accept an answer (please look closely at @Heinzi's one :)) by clicking on the checkmark below the vote arrows on the left? (and probably upvoting as well) – WoJ Mar 11 '22 at 19:43

6 Answers6

64

No. At best, password-encrypted Excel sheets are only protected at rest, not while opened. At worst, it's not encrypted and/or an adversary can use one of several documented MS office password recovery attacks.

It is unwise to assume that Excel's protections have anywhere near as much security vetting as any password manager, especially not the better-established ones like Bitwarden and 1Password.

In addition to being vetted for secure password storage, actual password managers include an interface that prevents you from seeing all passwords at the same time. They also have tons of extra features, like options to generate secure passwords, the ability to privately determine if a given password was part of a recent breach, and even the ability to wipe your clipboard a minute after you copy a password to it.

See also Wikipedia's List of password managers § Features matrix for a better list of what Excel can't offer but plenty of free options do.

Adam Katz
  • 10,418
  • 2
  • 22
  • 48
  • 7
    It's relatively easy to break Excel passwords, just use your favorite search engine and look for "bypass Excel password" or "VBA remove password". – BruceWayne Mar 09 '22 at 05:23
  • 4
    @BruceWayne It takes zero technical or coding expertise (even though it uses code), because all someone has to do is copy/paste from an article on the web, so it's literally a google search away.. Brute forcing excel passwords is *very* different to brute forcing any real security, it will take about 20 seconds (if that) because you don't have to get the exact password that was used, but any of a (presumably large) number of different inputs that excel will deem sufficient to allow access. – stevec Mar 09 '22 at 10:10
  • 3
    You don't even need to brute force a protected spreadsheet, they're not encrypted. – Robyn Mar 09 '22 at 10:22
  • 11
    As I said below, you need to distinguish between a file saved with a password (which is encrypted), and cell protection (which isn't). Refer https://en.wikipedia.org/wiki/Microsoft_Office_password_protection – throx Mar 09 '22 at 12:17
  • Thanks for the links, folks. I was going solely on intuition (I didn't know it was _that_ trivially weak!) and I have updated my answer accordingly. – Adam Katz Mar 09 '22 at 15:48
  • 4
    @AdamKatz Careful there is a version of excel encryption which is strong and one which is super weak (non-existent). So depends what you use. – DRF Mar 10 '22 at 10:05
  • 1
    Excel supports AES encryption, so it doesn't have to be that bad. – OrangeDog Mar 10 '22 at 10:24
  • @OrangeDog depends on the version I think - when xlsx was still a relatively new format I'm pretty sure you used to be able to just go into the zip archive and delete the reference to having a password, before switching it back to the xlsx extension and it was as if it was never protected – Andrew Corrigan Mar 10 '22 at 13:13
  • 2
    Something extremely important is that, when you copy the password with Excel, it will stay in the clipboard and other programs can be notified of it. If you use KeePass' (or similar) auto-typing, you have an additional layer of safety, where the program types random characters and deletes them, which can confuse a basic keylogger. And nothing is stored in the clipboard. If you decide to use the clipboard, KeePass (for example) can restore the previous content after *x* seconds, instead of the password staying in the clipboard until you change the contents some time later. – Ismael Miguel Mar 10 '22 at 18:24
  • 1
    @BruceWayne: this is not true since Excel 2007, when MS stopped using their own "encryption" and switched to AES – WoJ Mar 11 '22 at 19:37
35

In the existing answers, a lot of "Excel is not secure" gets thrown around, so let's look at what this means in detail.

First, we need to establish which Excel feature we are talking about. There are two fundamentally different ways to "protect an Excel sheet with a password".

  1. File encryption: This is what Microsoft calls "Protect an Excel file". This feature encrypts the whole file with symmetric encryption:

    • Office 2016 and later use
      • 256-bit AES when encrypting Office Open XML files (docx, xlsx, ...),
      • RC4 (considered insecure) when encrypting files in the legacy formats (doc, xls, ...).
    • Office 2007–2013 uses 128-bit AES for Office Open XML files
    • earlier versions of Office used various algorithms which are now considered insecure.
  2. Locking a workbook or worksheet. This is what Microsoft calls "Protect a workbook" and "Protect a worksheet". Microsoft explicitly states that "Worksheet level protection is not intended as a security feature". This kind of protection can easily be bypassed by a skilled user by modifying the XLSX file. It's a convenience feature that protects designated cells in your file (a) from accidental modification by users and (b) from deliberate modification by unskilled users.

Thus, from a cryptographic point of view, feature 2 is absolutely insecure, whereas feature 1 offers reasonable at-rest encryption when used with a strong password in current versions of Excel.


However, as Adam Katz's answer describes in more detail, good at-rest encryption is not the only important factor when choosing a password manager.

Thus, while storing your passwords in an encrypted Excel file is

  • more secure than storing them unencrypted (or reusing a single password for multiple accounts), it is also

  • less secure than using dedicated password manager software (or keeping your passwords off-line).

Heinzi
  • 2,954
  • 2
  • 21
  • 25
  • 5
    This should be top answer for actually being specific about the varying levels of security in Excel/Office files. – Dan A. Mar 10 '22 at 14:52
  • 1
    @DanA. – While it's true that more recent Excel releases are better at encrypting content at rest, that does _not_ make Excel a wise choice for storing passwords. This answer is a good overview of Excel's various security features, but it's not a great answer to "is it safe to store account credentials in an Excel sheet protected with a password", as acknowledged by the final sentence. – Adam Katz Mar 11 '22 at 20:25
  • 2
    @AdamKatz: Since my answer has become accepted (to my surprise - I just wanted to clear up a misconception in a lot of the other answers), I have expanded the last sentence (only slightly - I see no point in repeating what you already explained so well in your answer). – Heinzi Mar 12 '22 at 10:21
6

No, absolutely not safe

Here is the top google result for

how to crack excel password

It literally tells you how to open a password-"protected" excel spreadsheet.

There are dozens more articles on the same topic, and anyone can do it (that's right, while you do need to copy/paste some code, you do not even need to be a computer programer or need to know anything about 'hacking' to follow the steps).

This means, for better or worse, it's really easy for someone to open a password "protected" excel spreadsheet.

So the answer is no - you should not consider passwords stored in a excel spreadsheet secure, even if it's "protected" by a password.

stevec
  • 1,240
  • 1
  • 7
  • 17
  • 18
    You're conflating cell protection (which stops a user modifying an open document) and saving a file with encryption, which uses SHA-1 keyed to AES-256. The latter, while not as good as a PKDBF style encryption is certainly nothing to sneeze at and won't be cracked by copy/pasted code. Refer https://en.wikipedia.org/wiki/Microsoft_Office_password_protection – throx Mar 09 '22 at 12:16
  • 2
    @throx admittedly I haven't used excel in over 5 years but I thought it was possible to password protect the workbook, thus the user will be prompted to enter the password upon opening it? Is that possible? (if not, I wonder what the asker is referring to when they say the "excel sheet protected with password".) – stevec Mar 09 '22 at 12:24
  • 5
    @stevec: Unfortunately, the terminology is a bit misleading. There are [multiple ways](https://support.microsoft.com/en-us/office/protection-and-security-in-excel-be0b34db-8cb6-44dd-a673-0b3e3475ac2d) of "protecting data" in an Excel sheet. throx (and most likely the OP) is talking about **file encryption**, which [uses strong crypto in Excel 2016 and above](https://en.wikipedia.org/wiki/Microsoft_Office_password_protection). ... (1/2) – Heinzi Mar 09 '22 at 20:57
  • 4
    ...On the other hand, your Google link talks about worksheets locked for editing, which even Microsoft confirms is ["not intended as a security feature"](https://support.microsoft.com/en-us/office/protect-a-worksheet-3179efdb-1285-4d49-a9c3-f4ca36276de6). Both of these features allow you to "set a password", but they are completely different w.r.t. security. (2/2) – Heinzi Mar 09 '22 at 20:58
  • 1
    This is incorrect, look at @Heinzi answer. – WoJ Mar 11 '22 at 19:40
6

Probably not, but it depends on your threat model.

What are you trying to protect AGAINST ?

If your main concern is that you forget passwords and that some low-level attacker might get them, then you may be ok. If you want to be safe from anyone with even some skill, then no. Excel is not safe.

A password manager is probably the better solution, and you didn't explain why you don't want that.

The next best solution if you need to store the passwords somewhere is to store them physical, on a piece of paper in a safe. The number of potential attackers drops dramatically as soon as physical intrusion is required. Again, details depend on your threat model.

Tom
  • 10,201
  • 19
  • 51
1

This is not safe for the reasons stated in other answers, however a quick alternative for the same stuffy offices environments where Excel is being used is often to pack the spreadsheet into an archive (such as the ZIP format), encrypting that with a password

This is quite secure, though it requires a long passphrase and reasonable choice of encryption (consider AES128), as it trivially permits offline attacks against the file (while an online password manager will not)

ti7
  • 113
  • 6
  • 1
    In the post-quantum world AES-128 would practically become AES-64 which is easy to crack, so at least AES-256 should be used... – Sir Muffington Mar 09 '22 at 20:56
  • 2
    @SirMuffington definitely! .. however, if one is relying on Microsoft Windows and its wild-and-wacky office suite to defend against IBM/Mossad/Alphabet Folk's undisclosed quantum technology, they certainly have worse problems, and may also need a 3rd-party software (7-zip) to get better schemes (which is often not feasible, while Windows has a stock zip tool supporting no more than AES-128 (please correct me if I am wrong!)) – ti7 Mar 09 '22 at 21:26
-3

As a counterpoint to the intuitive "no, Excel is not a password manager" I'd like to present a threat model in which the Excel-stored password is safer.

Most scenarios in which Excel-vs-password-manager make a difference involve an attacker accessing your system (password-encrypted Excel sheets are only protected at rest, etc.). In such a case, it would be trivial to search for e.g. Keepass files.

$ find / -type f -exec file {} \; | grep Keepass
/home/appelbaum/.well-hidden.kbd: Keepass password database 2.x KDBX

Finding Excel files is no harder, but with Excel files:

  1. The value of the file is not obvious. The attacker might not think to look for the passwords in an Excel file, especially if the target is tech-savy and there are decoy Keepass files on the system.
  2. There could plausibly be hundreds of Excel files, difficult to determine which could contain valuable information.
  3. Excel is a proprietary format, notoriously difficult to implement 100%. Automated tools might be able to sniff many ways of hiding data in Excel, but only MS Excel implements all of it. You could probably find a way to obfuscate the data in an Excel cell that is not obviously either a password or protected somehow. Automated tools might find encrypted files or protected cells, but they won't suspect that Mary's birthday was last Thursday encodes the password Znel'foveguqnljnfynfgGuhefqnl.

All these considerations apply to a file stored on Google Drive or other cloud platform as well. In fact, if the attacker is a state actor and can subpoena Google, the last point becomes even more poignant.

dotancohen
  • 3,696
  • 3
  • 25
  • 34
  • 1
    ‘Excel is a proprietary format’ Only if you’re using legacy formats, which would translate to functionally useless encryption. OOXML (used for xlsx) is formally standardized as both ECMA-376 and ISO/IEC 29500, and there are plenty of third-party implementations of both (such as LibreOffice). – Austin Hemmelgarn Mar 10 '22 at 13:20
  • 7
    This doesn't explain why finding Keepass files is a problem. If they are infeasible to crack, which they should be, then you can hand the file to the attacker and they wouldn't be able to do anything with it. – nasch Mar 10 '22 at 21:54
  • 2
    @nasch I am not sure I agree with this answer, but it is interesting to think about other threat models. If you hand a keepass file to an attacker, they might be able to get a judge to order you to decrypt it. – emory Mar 11 '22 at 11:44
  • 1
    @AustinHemmelgarn: OOXML explicitly states some behaviour as to be implemented "As MS Office behaves", referring to the closed-source software. This, and the fast-track standards approval, were major factors in opposition to the standard. – dotancohen Mar 11 '22 at 14:32
  • @nasch Infeasible to crack? Depends on who is doing the cracking. I wouldn't bet my free life on the NSA not being able to crack it. – dotancohen Mar 11 '22 at 14:33
  • 6
    @emory Except, if someone can get a judge to force you to do something, they could just as well force you to hand over all your passwords and save themselves the trouble of having to look for the file in the first place. This answer is just security by obscurity, and I'm struggling to think of any threat model where it would provide any tangible advantage. – nobody Mar 11 '22 at 20:21
  • 2
    Hiding in a less secure storage model hardly seems wise (see [security through obscurity](https://en.wikipedia.org/wiki/Security_through_obscurity)), especially since the filename probably looks like `passwords.xlsx`. If you want protection from this sort of attack, fortify the pw db first, then consider obfuscation (like an encrypted zip). – Adam Katz Mar 11 '22 at 20:33
  • @dotancohen If the NSA could possibly crack it, then it is not very strongly encrypted. Or else the NSA has discovered math that nobody else knows about. – nasch Mar 12 '22 at 15:28
  • 1
    Breaking news: When [Laspus$ breached Okta](https://www.wired.com/story/okta-hack-microsoft-bing-code-leak-lapsus/ "'This Is Really, Really Bad': Lapsus$ Gang Claims Okta Hack"), they [found a spreadsheet of passwords](https://techcrunch.com/2022/03/28/lapsus-passwords-okta-breach/ "Lapsus$ found a spreadsheet of passwords as they breached Okta, documents show"). – Adam Katz Mar 29 '22 at 16:07