Request: Page Locking

[Brian Vallelunga]

The ability in SP1 to password protect a section is great, but I'd like to
request more granular password support. I'd like to be able to lock just a
particular page of data. For example, I have a section relating to a job I'm
doing for someone. I don't have the section protected because 90% of the
info isn't sensitive. However, one page has information about the server I'm
using such as usernames and passwords. I'd like to be able to just lock that
one page.

On a related note, how secure is the password protection? Previous versions
of MS Office protection were pretty much a joke and could be cracked easily
by any number of utilities in very little time. Has that improved at all?

Thanks,

Brian

 

[Erik Sojka]

Some workarounds: You can move all pages requiring password protection
into a single section and password-protect that. Or you can have a PW-
protected section that consists of a single page. I concede this might
play havoc on any organization scheme you might have with your sections
and pages.

If you're concerned about additional security you can always use NTFS
permissions and EFS to further protect the individual *.ONE files (don't
forget about the backups!). You can change the location of the "My
Notebook" folder by going to Tools | Options | Open and Save.

NTFS and EFS are only available under W2K and Windows XP and only when
the drive being accessed is formatted using NTFS (not FAT or FAT32).
Feel free to ask a followup question about these if needed.

The password protection is implemented using Microsoft's CryptoAPI, which
is relatively new in the Office timeline, so it's a definite improvement
over some previous versions of Office. I don't know what methods/key
length, etc. are used, though.

 

[Chris_Pratley \(MS\)]

The encyption is 168bit RC4, (128bit where limited by law). This is pretty
hard to crack. Office uses this kind of encryption as an option from Office
Xp onward. (it is an option because by default the encryption used in Office
is the weaker kind compatible with Office97 and 2000 - customers tell us
compatibility is important)

Encryption is only as safe as your choice of password. If you use passwords
like "cat" or "purple" i.e. dictionary words or easy combos of these plus
numbers, then expect any tool to crack your password fairly quickly just by
trying the relatively small number of possibilities. True strong passwords
(long, and containing punctuation, numbers, upper/lower case and not
discernible real words) are too much hassle for most people who want to
easily remember their passwords, which is why an approach like IRM
(Information Rights Management, in Office2003) is actually better - there
access to the info is based on your identity, not a password. Your identity
is currently driven off your account, which is usually password protected,
although you can require a smartcard or biometric check as well if you want
true security.

Chris Pratley (MS)
OneNote design team

 

[Chris_Pratley \(MS\)]

My aplogies, the encrytion is actuall 3DES, not Rc4.

 

[Chris_Pratley \(MS\)]

My apologies, the encryption is actually 3DES, not RC4. It is a 168bit block
cipher.

Chris Pratley (MS)
OneNote design team