Feeling secure with your password protected Excel workbook? Think again.

Excel LogoLast week, I received a password protected Excel spreadsheet. This spreadsheet was used as a survey-style questionnaire. I could view but not edit the questions. I could only enter answers in some specific “response” cells. No other cells were available for editing. I could also see that some columns had been hidden. I could not unhide them.

Protection options - Microsoft ExcelI needed the survey questions, but there were 200 of them and I didn’t want to type them into a new spreadsheet. I was also interested in the hidden columns. Unfortunately for me, the author of the spreadsheet had password protected the workbook. I tried to “crack” it with a few obvious passwords like “123456” and that old favourite, “password” but no luck. I could not unprotect the spreadsheet.

After a bit of research and a few experiments, I discovered that uploading the Excel spreadsheet in Google Docs would give me full access to the content. The entire spreadsheet content was visible and editable in Google Docs. I even discovered some hidden sheets that I could not see in Excel. Google Docs offers the option to download a Google spreadsheet as an Excel spreadsheet. Which means of course that all I had to do was upload the spreadsheet into Google Docs and then download it back as an Excel spreadsheet, and presto, no more pesky protection in my way.

Password-protected Excel spreadsheet => upload and open as a Google Sheet => download as an Excel spreadsheet = unprotected Excel spreadsheet

Google Sheets logoAfter a little bit more research, I discovered that this information security vulnerability applies to the Microsoft Word as well.

I call it an information security vulnerability because this weakness can lead to serious consequences for businesses exchanging information with clients, partners or vendors. In the example above, the spreadsheet contained a questionnaire used to rate vendors bidding to provide services to a large corporation. The hidden columns contained instructions on how to rate vendor responses. Any vendor able to unlock the Excel spreadsheet would be able to see and understand the key criteria for each answer. This means they can formulate their answers to match the assessment criteria. It is a bit like taking an exam with a cheat sheet.

When we speak about password protection, many of us assume a certain level of encryption or inaccessibility of the data that we want to protect. In the case of Microsoft Office, the password protection does not apply any encryption mechanism, and consequently it is very simple to bypass. Users wrongly assume that they can count on the password protection features offer in Microsoft products. To be fair, Cheating at an examMicrosoft does state in online help that, “Element protection cannot protect a workbook from users who have malicious intent”. Microsoft also advises “For an additional layer of security, you should help protect your whole workbook file by using a password”, but this is not the same functionality.  The whole workbook protection restricts opening, editing and reading access to an entire spreadsheet. It cannot be used to protect individual cells.

If you want to make sure that you do not share confidential information with an unintended audience via an Excel spreadsheet, I recommend to completely remove the information from the spreadsheet by deleting it.