0

I have a need to send a 3rd party regular Excel files.

I currently use excel password protection on the file itself and the password I use is known by the 3rd party.

However, today I read a thread on this forum that appears to say it is unsafe to password-protect an Excel file. But this is counter to my understanding because I believe Excel uses 256-bit AES encryption which is currently unbreakable.

However the thread also talks about individual features of Excel and I am finding it difficult to separate the file password encryption from the feature protection, like protect a sheet in a workbook or cell protection.

So can someone advise if I place a password on the file such that it can not be opened, is it safe (within the limits of 256-bit encryption) or not?

BTW, I am using M365, I am not bothered by over-the-shoulder or cut-and-paste hacks as that is the 3rd parties problem from a data protection point of view.

schroeder
  • 125,553
  • 55
  • 289
  • 326
Iain
  • 3
  • 1
  • "is it safe" -- from what? The Answers on the thread you linked appear to answer your question directly unless there is a particular threat that you have not disclosed. – schroeder Oct 25 '22 at 14:41
  • Older versions of Office used weak encryption, which may explain why there's warnings against relying on it. But such advice is outdated; Office has used decent encryption since 2007. – paj28 Oct 25 '22 at 15:23
  • Schroder, clearly wasn't good enough for me, but the answer from ThoriumBR provided exactly what I needed to know. – Iain Oct 26 '22 at 15:31

2 Answers2

0

Properly implemented AES-256 encryption is, at this time, unbreakable. File password protection seems to be built on this and should be fine.

Feature protection seems to be a function of the editor, not backed in cryptography, it therefor should not be trusted for security.

If one is unsure of the security of encryption features in a program, putting a file in an encrypted zip is always an option.

foreverska
  • 1,712
  • 11
0

AES-256 is the gold standard when it comes to symmetric encryption. However, the caveat here is the strength of the key.

If the key used is a 256-bit randomly generated key generated by a CSPRNG, then AES-256 is highly resistant to brute force attacks.

However, if the encryption key is derived from a password, as is the case with Excel, then the weak links here are:

  • the strength of the password
  • the strength of the password derivation function that is used to derive the encryption key from the password

According to this answer on crypto.stackexchange.com, modern version of Excel use 50,000 rounds of salted SHA256 hashing to derive an encryption key from a password.

Nowadays, hashing rigs built using a few thousand dolars worth of ASIC hardware can do over 100 tera-hashes per second. So, such a rig would be able attempt cracking the Excel file at the rate of about 2 billion passwords per second (100T / 50,000 = 2 billion).

So, if the password is on a password list (such as rockyou.txt), the password would be cracked in a matter of seconds.

As another way of looking at it, consider a password 8 characters long, consisting of uppercase letters, lowercase letters, and digits (i.e. each character could be one of 62 possible symbols). Such a password would have 2.1814 possible combinations 628 = 2.1814). A rig like the one above could crack this password in a little over a day (2.1814 / 2000000000 = 109170 seconds = ~1.2 days).

ThoriumBR
  • 51,983
  • 13
  • 131
  • 149
mti2935
  • 21,098
  • 2
  • 47
  • 66
  • That is an excellent answer., thank you, exactly what I needed. Whilst I profess the password could be better, at 13 characters long with a mixture of characters, I believe the security is good enough for anything, except a determined attack. :-) – Iain Oct 26 '22 at 15:26