About Word® and Excel® encryption

Top  Previous  Next

Microsoft Word® and Microsoft Excel® support three levels of document/workbook protection. The user who creates a document or workbook has read/write permission to a document and controls the protection level. The three levels of document protection are:


File open protection. Word®/Excel® requires the user to enter a password to open a document.

File modify protection. Word®/Excel® requires the user to enter a password to open the document with read/write permission. If the user clicks Read Only at the prompt, Word®/Excel® opens the document as read-only.

Read-only recommended protection. Word® prompts the user to open the document as read-only. If the user clicks No at the prompt, Word®/Excel® opens the document with read/write permission, unless the document has other password protection.


In addition to protecting an entire Word® document, you can also protect specific elements (tracked changes, comments and forms) from unauthorized changes. For Excel®, you can protect a worksheet and the contents of locked cells, a structure of a workbook, windows in a workbook and cells or formulas on a worksheet, or items on a chart sheet. Finally, you can prevent users from viewing code by locking VBA project.


All protections but File open one are not secure at all – the password can be either recovered or removed (changed) instantly, and not supported by AOPB at all.


If File open protection is being used, Word® and Excel® encrypt password-protected documents by using the symmetric encryption routine known as RC4. In old versions of Microsoft Office (prior to Office 97 – i.e. Office 95, Office 6.0 etc), however, the implementation was weak and allowed to extract (decrypt) password as well; such files are also not supported by AOPB.


For Word® and Excel® 97/2000 files (and also Word®/Excel® XP/2003, if Office 97/2000 Compatible Encryption is used), File open protection is good enough; at least, password cannot be recovered instantly, and till now, the only methods to break them were brute-force and dictionary attacks. However, these methods fail if password is long enough and well selected (i.e. cannot be found in common dictionary) – it would take years to recover it. This is the only type of protection AOPB supports, by using a new method such as searching for encryption key instead of the password (see next chapter).


Microsoft Office XP introduces a new encryption, based on Cryptographic Service Providers; for files encrypted that way, AOPB will not help as well.


So if AOPB shows a message that such files are not supported (when you try to start the attack), read the Files/passwords that are not supported chapter for details what to do.