MS Word Password Protection - Is it really next to useless?

[Hulk]

I see programs that can "instantly" find the password in an MS Word program. This doesn't give me a secure feeling about the files I password protect on my computer using Word. Is this true?

I have WinRar and I hear the encryption technology is much better on this one and I should compress my vital documents using Winrar and a password.

The Winrar way is kind of a pain in the butt since there are a couple extra steps to recover and save the file every time I need to modify or view it.

Any ideas?

 

[DaveSimmons]

Ask yourself:

1. Are your documents so sensitive that you really need to protect them with passwords?
2. How likely are you to lose the password(s) you use to protect them?

There are posts here every few weeks from people frantic to crack their own password-protected folders or archives when they've lost the password after a year. With WinRAR if it's a good password you'll lose your contents forever.

 

[Mark R]

To be fair, the encryption used in Word (and other office programs) is pretty good. The reason that it's possible to recover the password in seconds or minutes is because the password is the weak link.

Modern cracking programs can try millions of passwords a second - armed with multi-language dictionaries, statistics about what sequences of letters and numbers often come together, etc. - passwords are much weaker than people realise.

If you use a password like: r&J38(*65k=krorH8+{, or you use a series of unrelated words like: assay/dog/foxglove/junction/cloud/kangaroo/impressionist/chair then no cracker will stand a chance.

Yes RAR uses a more advanced, stronger encryption algorithm - but if you use a poor password, then it won't help you.

 

[nsafreak]

Originally posted by: Mark R
To be fair, the encryption used in Word (and other office programs) is pretty good. The reason that it's possible to recover the password in seconds or minutes is because the password is the weak link.

Modern cracking programs can try millions of passwords a second - armed with multi-language dictionaries, statistics about what sequences of letters and numbers often come together, etc. - passwords are much weaker than people realise.

If you use a password like: r&J38(*65k=krorH8+{, or you use a series of unrelated words like: assay/dog/foxglove/junction/cloud/kangaroo/impressionist/chair then no cracker will stand a chance.

Yes RAR uses a more advanced, stronger encryption algorithm - but if you use a poor password, then it won't help you.

Complex passwords themselves aren't the last word when it comes to protecting Word files. It isn't because people don't use complex enough passwords on their files it's that the implementation of password protection on Word is so weak. I would be willing to bet that you could password a file, email it to me and no matter how complex the password is I'd have the file open within a minute.

And if you think I'm kidding think about this little fact. I can have administrative access to a PC within minutes whether its running Windows 2000 or XP. It is very, very easy to bypass Windows security if you know what you are doing.

 

[Goosemaster]

Originally posted by: Mark R

Modern cracking programs can try millions of passwords a second

I did not know that:Q

 

[TheRyuu]

EVERY password can be cracked, it's just how long thats the problem.

NOTHING is truely secure. I think the most common advice is make it secure enough so that no one will try. So if you use a super complex password, no one will try.

 

[Mark R]

It's worth pointing out that MS enhanced the protection in office XP. Certainly, I've not come across any program, or online service, that will make even a credible attempt at word documents using 'advanced' encryption.

The only way offered to break this encryption is to brute-force search passwords. The advanced schemes are *much* slower to test (tens of thousands/sec instead of millions). If you use a strong password, and select 128 bit encryption - you can pretty much forget any hope of ever recovering the password.

In Word 2003, you can enable advanced encryption by going to: Tools -> Options -> Security -> Advanced then select 'RC4, Microsoft Enhanced cryptographic provider'. Of course, you lose compatability of older versions of word (97, 2000 and before).

If this encryption really can be broken, I damn well want to know about it.

The older versions of word, use a well designed, but deliberately weakened encryption system - It uses the RC4 system, but limited to a 40 bit key (to comply with the then US export restrictions).

40 bits is quite a limitation - but is still a lot stronger than most passwords. At 1 million key attempts per second, your still looking at 1-2 weeks to crack one file. That should keep most amateurs out, but won't stop law enforcement, or someone really determined.

 

[YoshiSato]

Originally posted by: Mark R
To be fair, the encryption used in Word (and other office programs) is pretty good. The reason that it's possible to recover the password in seconds or minutes is because the password is the weak link.

Modern cracking programs can try millions of passwords a second - armed with multi-language dictionaries, statistics about what sequences of letters and numbers often come together, etc. - passwords are much weaker than people realise.

If you use a password like: r&J38(*65k=krorH8+{, or you use a series of unrelated words like: assay/dog/foxglove/junction/cloud/kangaroo/impressionist/chair then no cracker will stand a chance.

Yes RAR uses a more advanced, stronger encryption algorithm - but if you use a poor password, then it won't help you.

I few years ago I read that Word stores the password in Open readable text. Not very secure if your ask me.

 

[Mark R]

Originally posted by: YoshiSato
I few years ago I read that Word stores the password in Open readable text. Not very secure if your ask me.

I don't think it ever did - however, I think very old versions stored a 'write-protection' password in a very weakly encrypted format. In practice, this is of little concern to most people, as it doesn't protect confidential data, it merely prevents people accidentally changing documents.

I'm fairly sure that the 'open' passwords have never been stored in the file, in any format. However, very old versions (pre 95) may have used a weak encryption method, which could probably be cracked in seconds, regardless of password strength.

Word 97 and 2000 used an industry standard encryption method, but a crippled key (US government requirements at that time). Again, the password isn't stored in the file. When you enter a password, word tries to decrypt the file - if it just gets garbage, it assumes the password is wrong.

Word XP and 2003 have the option of using high-strength 128 bit encryption.

 

[DayLaPaul]

Originally posted by: nsafreak
I would be willing to bet that you could password a file, email it to me and no matter how complex the password is I'd have the file open within a minute.

anyone willing to accept his challenge?

 

[Mark R]

Originally posted by: DayLaPaul

Originally posted by: nsafreak
I would be willing to bet that you could password a file, email it to me and no matter how complex the password is I'd have the file open within a minute.

anyone willing to accept his challenge?

Anyone who wants to try is welcome to download this word file and try to retrieve the secret message.

I'm not sure I can afford to give a prize, but you will get incredible geek street cred as an uber hacker extraordinaire.

Word doc