Don’t Forget the Document Password!

Some interesting tid-bits from the password crackers:

  • Word 2007 and Excel 2007 use an industry-strength AES encryption algorithm that makes password search speed slow: 20-100 passwords per second on an average PC.
  • Word 97-2003 and Excel 97-2003 use an industry-strength RC4 encryption algorithm that makes instant password calculation impossible. Office Key finds the password by checking millions of passwords per minute.

They left out that PowerPoint works the same way, and that the password to modify on Word and PowerPoint 2007 is just as hard to crack as the encryption – you can ditch the modify protection, but have fun getting the password.

Then there's this (

"Microsoft Office documents security is considerably enhanced in version 2007. The encryption information block is the same as in Office XP/2003, but Office 2007 always uses AES encryption (is the strongest industry-standard algorithm available) with 128 bit key and SHA-1 hashing; besides, new version improves the algorithm of converting passwords into keys: 50000 SHA-1 sequential iterations are being performed now. You would never notice it when opening a file because the whole process requires less than a second. But in a password recovery process, the speed drops significantly: one can test only about 500 passwords per second even on cutting-edge processors such as Intel Core 2 Duo. Thus, one computer can find 4-5 letter passwords only, and so the only way to recover longer passwords to Office 2007 documents is using a cluster. 1000 computers are able to maintain the speed at 500,000 passwords -- comparable to the speed of password recovery on a single computer for older Microsoft Office documents."

Really nice to see Office getting positive press for encryption.

Oh – and a fun fact – if you had a cluster of 1000 high-end systems (for comparison, I only get 5 cracks/sec on my laptop) all hammering away at the 8 character, alpha-numeric (upper and lower case) non-dictionary password you gave the document, it would still take 13.8 years to brute force the entire keyspace. That's not factoring in replacing the systems periodically so that Moore's Law can kick in. Also note that this significantly exceeds RFC 2898 standards. Oh – and I think the 16 bytes of random salt is going to make Rainbow tables really hard…

This is fairly cool, too – create a PowerPoint slide with a password to modify. Save out the file, rename it to .zip, and then open it with WinZip or explorer. Then check out presentation.xml. At the bottom, you'll find:

cryptProviderType="rsaFull" cryptAlgorithmClass="hash" cryptAlgorithmType="typeAny" cryptAlgorithmSid="4" spinCount="50000" saltData="0WWz2SJqZG2CLRdSM4yecg" hashData="5X9Wi67Tm07FpoGEIB0ZGUgMsqw" cryptProvider="" algIdExt="0" algIdExtSource="" cryptProviderTypeExt="0" cryptProviderTypeExtSource="" />

It isn't really as agile or fleshed out as I'd like, but this is an example of crypto agility. Same thing works in Word 2007, too.

Comments (1)

  1. AlexKr says:

    Hi David,

    Unfortunately AES security does not really help if you consider distributed approach.

    For example, offers their cluster to recover even office 2007-2010 documents.

    It works in the following way.

    Let's say the average PC gets 100 passwords per second. Then you get 1000 cores working together, thats 100K passwords per second.

    Assuming most of the users are NOT using strong passwords the brute force search will eventually uncover most of the data.

    So it is really a job for a user to use the correct passwords.

    I would even say it is mandatory to have such education about choosing correct passwords.

    Best wishes,


    [dcl] Sure it helps – let's look at the math. An iterated hash can drop your cracks/second by anywhere from 5-6 orders of magnitude. A cluster of 1000 systems only gains you 3 orders of magnitude. The password is still effectively 100x stronger using a well-build KDF than not. This will obviously not save you if the password is poorly chosen, but it takes a 3-day password crack out to 300 days. Most people give up long before that, and aren't willing to throw 3 million computer-days at the problem.

    And to be clear, it isn't AES that saves you – AES does nearly nothing here. It's the key derivation function that's important.

Skip to main content