Hacking Excel Password Protection

A while back I’ve posted an entry about Excel Protect Your Worksheet (or part of it). The entry highlighted the data protection function of Excel. Later I’ve received a comment that was rather explicit about how this protection is really useless from security perspective.

Well that was intriguing and made me look closer at this comment. It looks like the weakness in the password protection is a well known fact and many tools and workarounds were developed to simply ignore the password protection all together and allow any user to “hack” the Excel content and edit the protected content with no problem at all. And just to highlight again the severity – Yes, you do not need to know the original password to make use of these techniques. Really. Really really. No prior knowledge of the password is needed!

My favorite is this Do-It-Yourself suggestion called How to Unprotect an excel sheet without password. In this proposal you just need to switch to the VBA code editor (for newbies see the full entry for instructions) and copy/paste the following code:

Sub BreakThePassword()
    'Break the active worksheet password protection
    On Error Resume Next
    For a1 = 65 To 66: For a2 = 65 To 66: For a3 = 65 To 66
    For a4 = 65 To 66: For a5 = 65 To 66: For a6 = 65 To 66
    For a7 = 65 To 66: For a8 = 65 To 66: For a9 = 65 To 66
    For a10 = 65 To 66: For a11 = 65 To 66
        For n = 32 To 126
            ActiveSheet.Unprotect Chr(a1) + Chr(a2) + Chr(a3) + _
                Chr(a4) + Chr(a5) + Chr(a6) + Chr(a7) & Chr(a8) + _
                Chr(a9) + Chr(a10) + Chr(a11) + Chr(n)
            If ActiveSheet.ProtectContents = False Then
                MsgBox "The Active Sheet is now unprotected!"
                Exit Sub
            End If
        Next
    Next: Next: Next: Next: Next
    Next: Next: Next: Next: Next: Next
End Sub

Once done, just execute this sub and you are done. The excel content is open for updating. No password is needed!

Ok, now it is time for a summary. Excel Data Protection (with or without password) is a useful feature for team collaboration. From usability perspective it is very easy to setup and clearly define the portions of the worksheet that everyone can and should edit vs. the parts they should not.

But, and this is a big but, it is not a security tool. A person with malicious intention can very easily break this limitation and cancel the data protection definition and make updates to whatever data element he/she wants.

In other words, Excel Data Protection is a collaboration feature and not a security control.

Advertisements

Author: dave

Consider myself kid in soul and naive by choice. I am interested in people, technology and business and thrive when they all work together. My favorite quote and motto is that “You can fool some people some times but you cant fool all the people all the time” ― Bob Marley

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s