Linker IT Software
Order Home
menubar-top-links menubar-top-rechts
ExcelLock: Locking and securing your valuable Excel spreadsheets.

SQL*XL: Database to Excel bridge

litLIB: Excel power functions pack

Home Products EncOffice

Buy now Download now EncOffice

How safe is Excel encryption. Is it really secure?

  • Yes, encryption in Excel 2002 and 2003 IS secure if you know what you are doing.
  • Encryption in Excel 2007 is secure only for ".docx". For ".doc" it's NOT secure with default settings
  • Encryption in Excel 2002 and 2003 is NOT secure when used with default settings.
  • Encryption in Excel 95, 97 and 2000 is NOT secure at all.

ExcelLock
Locking and securing Excel files
  

Locking and securing Excel spreadsheets

  Learn All about ExcelLock.

EncOffice:
Easy and Safe Encryption of Excel Files  

Encrypt 
                    button in Excel

 Learn All about the "Safe Encrypted" button.

 

How safe is Excelencryption. Is Excel encryption really secure?

  1. Strength of encryption algorithm
  2. Strength of password
  3. Password crackers
  4. How much time is needed to crack a password by brute-force?
  5. Is Excel encryption really secure?
This article describes the strength of Excelencryption. Excelencryption is achieved by setting a "password to open". The security level in Excel 2002 and 2003 depends on strength of encryption algorithm and strength of password.

Strength of encryption algorithm

In Excel 95, 97 and 2000 the encryption method contains vulnerabilities. This means that the document can be decrypted within 10 seconds without knowing the password. There are password crackers that even offer online services to do this.

In Excel 2002 and 2003, the default encryption method is "97/2000 compatible", which means that the same insecure encryption method is used.

Fortunately there is a solution. To achieve good encryption, one has to select a strong encryption method. This is done by clicking the "Advanced" button next to the "Password to open" field. A list of available Crypto Service Providers (CSP's) appears.

Choose encryption type with strong encryption capacity in 
            
            Excel; Choose encryption type with strong encryption capacity in Excel

Here select a CSP with at least 128 bits RC4, like the "Microsoft Enhanced Cryptographic Provider v1.0". 128 bits encryption is considered strong encryption. RC4 is widely used, for example by Online Banking Systems and in PDF encryption.

Strength of password

If the encryption method is strong, the only way for a cracker to break the document security is by trying to find the password. It's important to know the difference between weak and strong passwords.
  • A weak password is easy to guess or quick to crack.
  • A strong password is hard to guess but easy to remember. It has enough length and complexity.

Password crackers

Password crackers are automated tools dedicated to finding passwords. Usually the steps are:
  1. password guessing
    • name of partner, child, pet animal, holiday destination, date of birth, etc. Someone who knows you is able to guess your password!
    • Simple words or given names combined with the numbers of the month are considered weak as well, e.g. "welcome01", "Alex11", etc.
  2. dictionary attack (trying all words from a dictionary list, e.g. list of names)
    • "qwerty", "letmein", "Aaron",
  3. brute force attack (if nothing else works: try every possible combination of characters) .
    • "a", "b", "c", .., "aa", "ab", "ac", .. , "a1", "a$", "a{", etc.
    • Short passwords (less than 5 characters) are weak because the number of possible combinations is limited. These short passwords can be cracked within seconds.

How much time is needed to crack a password by brute-force?

If the password cannot be guessed and is not found in a dictionary, the cracker has to try a brute-force attack. When brute-forcing, the time to crack the password depends on the amount of possible passwords that the cracker has to try. The amount of possible passwords increases with password length and with increasing diversity of characters being used (complexity).

Let's take the scenario of a cracker trying 15 million passwords per second. This is currently the maximum speed being claimed by password cracker vendors. You need a pretty fast computer to achieve this. The following table shows the computed time to crack a password with 15 million tries per second. Notice the incredible increase in time to try all possible combinations when password length and complexity increase.

length: 4, complexity: a-z==> less than 1 second
length: 4, complexity: a-zA-Z0-9 + symbols==> 4.8 seconds
length: 5, complexity: a-zA-Z==> 25 seconds
length: 6, complexity: a-zA-Z0-9==> 1 hour
length: 6, complexity: a-zA-Z0-9 + symbols==> 11 hours
length: 7, complexity: a-zA-Z0-9 + symbols==> 6 weeks
length: 8, complexity: a-zA-Z0-9==> 5 months
length: 8, complexity: a-zA-Z0-9 + symbols==> 10 years
length: 9, complexity: a-zA-Z0-9 + symbols==> 1000 years
length: 10, complexity: a-zA-Z0-9==> 1700 years
length: 10, complexity: a-zA-Z0-9 + symbols==> 91800 years

What we see is that:
  • any password shorter than 5 characters can be cracked within 5 seconds
  • any password shorter than 7 characters can be cracked within a day.
  • With the password length of 9, the cracking time goes to hundreds of years. In most cases this can be considered acceptable while mostly we need to keep a secret for a maximum of 30 years.
To be on the safe side, we recommend a minimum password length of 10 characters.

Note: the crack times mentioned in the table are needed to try all the possible passwords. There is a great chance that the cracker only needs 50% of this time. Also bear in mind that a cracker can always have a lucky shot at his first try and crack the password immediately. The chance is very small, but theoretically it is possible.

Is Excel encryption really secure?

Yes, encryption in Excel 2002 and 2003 is really secure if you select
  • a good Crypto Service Provider
  • a strong password (combination of charactersets with min. length of 10)
To assist you in creating proper secured Exceldocuments EncOffice is recommended. EncOffice adds an encryption button to MS-Excel that makes all the complex security decisions for you and helps in creating a strong password.

EncOffice helps to create a really secure Excel file.
Just click on the "Safe Encrypted" button.

Encrypt button in Excel

You can open the encrypted spreadsheet with a standard Excel version
Download free trial