A while back I’ve posted an entry about Excel Protect Your Worksheet (or part of it). The entry highlighted the data protection function of Excel. Later I’ve received a comment that was rather explicit about how this protection is really useless from security perspective.
Well that was intriguing and made me look closer at this comment. It looks like the weakness in the password protection is a well known fact and many tools and workarounds were developed to simply ignore the password protection all together and allow any user to “hack” the Excel content and edit the protected content with no problem at all. And just to highlight again the severity – Yes, you do not need to know the original password to make use of these techniques. Really. Really really. No prior knowledge of the password is needed!
My favorite is this Do-It-Yourself suggestion called How to Unprotect an excel sheet without password. In this proposal you just need to switch to the VBA code editor (for newbies see the full entry for instructions) and copy/paste the following code:
Sub BreakThePassword() 'Break the active worksheet password protection On Error Resume Next For a1 = 65 To 66: For a2 = 65 To 66: For a3 = 65 To 66 For a4 = 65 To 66: For a5 = 65 To 66: For a6 = 65 To 66 For a7 = 65 To 66: For a8 = 65 To 66: For a9 = 65 To 66 For a10 = 65 To 66: For a11 = 65 To 66 For n = 32 To 126 ActiveSheet.Unprotect Chr(a1) + Chr(a2) + Chr(a3) + _ Chr(a4) + Chr(a5) + Chr(a6) + Chr(a7) & Chr(a8) + _ Chr(a9) + Chr(a10) + Chr(a11) + Chr(n) If ActiveSheet.ProtectContents = False Then MsgBox "The Active Sheet is now unprotected!" Exit Sub End If Next Next: Next: Next: Next: Next Next: Next: Next: Next: Next: Next End Sub
Once done, just execute this sub and you are done. The excel content is open for updating. No password is needed!
Ok, now it is time for a summary. Excel Data Protection (with or without password) is a useful feature for team collaboration. From usability perspective it is very easy to setup and clearly define the portions of the worksheet that everyone can and should edit vs. the parts they should not.
But, and this is a big but, it is not a security tool. A person with malicious intention can very easily break this limitation and cancel the data protection definition and make updates to whatever data element he/she wants.
In other words, Excel Data Protection is a collaboration feature and not a security control.