Word doc Security?

[Armey]

I wanted to get the groups expert advice on how secure MS Word
document security really is? For example, I have an open password,
modify password and the document is password protected with the
restriction of filling in forms and my VBA code is passwod protected.
In my specific case I am using Word 2003, but soon testing and
converting my app to Word 2007. I have heard of many free or cheap
programs to crack MS word password protection but have no real
experience of this.

1.) Does one encryption type versus another on the open password
really matter? If so, what is the most secure?

2.) Is there added security benefits in Word 2007 for the open, modify
and protected document password?

3.) What would your advice be for securing a protected form template
in the most secure method to keep unauthorized users from using or
modifying the app?


Thanks.

 

[Graham Mayor]

The password cracking applications you may find on the web are all very well
if you use the four digit passwords that they allow for trial versions, but
if you use a seriously strong password, and the highest level of encryption,
the security will deter all but the most determined. *Any* password can be
cracked if you have the time and processing power, merely by checking every
possible combination. Some of the tools available will do that.

--
<>>< ><<> ><<> <>>< ><<> <>>< <>><<>
Graham Mayor - Word MVP


<>>< ><<> ><<> <>>< ><<> <>>< <>><<>

 

[Armey]

The password cracking applications you may find on the web are all very well
if you use the four digit passwords that they allow for trial versions, but
if you use a seriously strong password, and the highest level of encryption,
the security will deter all but the most determined. *Any* password can be
cracked if you have the time and processing power, merely by checking every
possible combination. Some of the tools available will do that.

--
<>>< ><<> ><<> <>>< ><<> <>>< <>><<>
Graham Mayor - Word MVP

My web sitewww.gmayor.com
Word MVP web sitehttp://word.mvps.org
<>>< ><<> ><<> <>>< ><<> <>>< <>><<>








- Show quoted text -

Graham, thanks for your input. I agree that the best option is to
select and use as strong as passwords as possible. Do you know where
I can get information on the maximum length of each password (open,
modify, doc protection, vba)? It seems that if you use the longest
and most complex password that it would be more secure that way. Do
you know if the password lengths or encryption types were revised for
Word 2007?

 

[Jonathan West]

I wanted to get the groups expert advice on how secure MS Word
document security really is? For example, I have an open password,

That one is reasonably secure, provided you choose a strong passord

modify password

In practice, that is useless - it doesn't stop the user from copying and
pasting to a new document and saving the results. Its only use is a
protection against accidentally modifying the file.

and the document is password protected with the
restriction of filling in forms

That is also largely useless. Use Insert, File to include the file in
another file and the protection is gone.

and my VBA code is passwod protected.

That is relatively easily crackable if you have the right tools, even if you
use a strong password.

In my specific case I am using Word 2003, but soon testing and
converting my app to Word 2007.

What I have described applies to Word 2003 and earlier. I don't know whether
things are improved in Word 2007, but I rather doubt it.

I have heard of many free or cheap
programs to crack MS word password protection but have no real
experience of this.

1.) Does one encryption type versus another on the open password
really matter? If so, what is the most secure?

2.) Is there added security benefits in Word 2007 for the open, modify
and protected document password?

Not really. They exist primarily to make it harder to make accidental
changes. They aren't a protection against malicious changes.

3.) What would your advice be for securing a protected form template
in the most secure method to keep unauthorized users from using or
modifying the app?

Move as much code as possible out of VBA and into an VB6 ActiveX DLL. Only
leave little bits of code in the VBA project that are needed to make calls
to the DLL.

If it is for a specific corporation, get the agreement of IT and personnel
to make it clear that malicious tampering with the template is a
disciplinary offence.


--
Regards
Jonathan West - Word MVP
www.intelligentdocuments.co.uk
Please reply to the newsgroup
Keep your VBA code safe, sign the ClassicVB petition www.classicvb.org

 

[Jay Freedman]

Additional info:

There's a very nice password checker at
http://www.microsoft.com/athome/security/privacy/password_checker.mspx that
will tell you how strong a password is.

For the open password, it's important to click the Advanced button and
choose a method that is NOT either "Weak encryption (XOR)" or the default
"Office 97/2000 compatible" -- neither of those is in any sense secure. I'd
suggest the "Enhanced DSS and Diffie-Hellman Cryptographic Provider" with a
key length of at least 128 bits.

--
Regards,
Jay Freedman
Microsoft Word MVP
Email cannot be acknowledged; please post all follow-ups to the newsgroup so
all may benefit.

 

[Armey]

Additional info:

There's a very nice password checker athttp://www.microsoft.com/athome/security/privacy/password_checker.mspxthat
will tell you how strong a password is.

For the open password, it's important to click the Advanced button and
choose a method that is NOT either "Weak encryption (XOR)" or the default
"Office 97/2000 compatible" -- neither of those is in any sense secure. I'd
suggest the "Enhanced DSS and Diffie-Hellman Cryptographic Provider" with a
key length of at least 128 bits.

--
Regards,
Jay Freedman
Microsoft Word MVP FAQ:http://word.mvps.org
Email cannot be acknowledged; please post all follow-ups to the newsgroup so
all may benefit.













- Show quoted text -

Thanks everyone for your assistance. I did want to know if anyone
knows the maximum length of passwords for open, modify and document
protect? I want to use the longest passwords possible in combonation
with strong passwords to help deter any malicious minded people. I
figure if they are going to break in at least I will make them work
for it... I know that nothing is ever fully secure, but at least I
want to do the most that I can within the context of what MS Word will
allow.

Thank you.

 

[Karl E. Peterson]

Thanks everyone for your assistance. I did want to know if anyone
knows the maximum length of passwords for open, modify and document
protect? I want to use the longest passwords possible in combonation
with strong passwords to help deter any malicious minded people. I
figure if they are going to break in at least I will make them work
for it... I know that nothing is ever fully secure, but at least I
want to do the most that I can within the context of what MS Word will
allow.

I can't say if it's the same in all those cases (it's probably not), but you should
be aware that the VBA password is simply stored as an XX-char hash of the original.
The allows a brute-force algorithm that can crack 'em in seconds. Fwiw...

 

[Jonathan West]

Thanks everyone for your assistance. I did want to know if anyone
knows the maximum length of passwords for open, modify and document
protect? I want to use the longest passwords possible in combonation
with strong passwords to help deter any malicious minded people. I
figure if they are going to break in at least I will make them work
for it... I know that nothing is ever fully secure, but at least I
want to do the most that I can within the context of what MS Word will
allow.

In Word 2000, the forms protection, file open and file modify passwords all
have a practical maximum length of 15 characters - anything more is ignored.
The VBA project password has a maximum of 32 characters - again, anything
longer is ignored. I don't have a copy of Word 2003 to hand to try, but I'm
90% sure it is the same there.


--
Regards
Jonathan West - Word MVP
www.intelligentdocuments.co.uk
Please reply to the newsgroup
Keep your VBA code safe, sign the ClassicVB petition www.classicvb.org

 

[Karl E. Peterson]

The VBA project password has a maximum of 32 characters - again, anything
longer is ignored.

And, even at that, it's only stored as a 12-character hash. One _so_ lame, that
only 194,560 possibilities exist. How long does a modern computer take to run
through that many loops? :-(

 

[Tony Jollans]

I would also add a warning here that Word 2007 does not offer all the
options for strong encryption that Word 2003 does for .doc (Word 97-2003
format) files although it claims (I haven't tested the claim so can't pass
comment on it) to offer stronger encryption for .docx ("Word 2007 format)
files.

 

[Tony Jollans]

I don't propose to go into any kind of detail in a public forum but, as I'm
sure both Karl and Jonathan know, it is not necessary to crack the actual
password at all to be able to access VBA projects.

 

[Karl E. Peterson]

I don't propose to go into any kind of detail in a public forum but, as I'm
sure both Karl and Jonathan know, it is not necessary to crack the actual
password at all to be able to access VBA projects.

Exactly. It's a damned crime, really. I've had folks drop their jaw when I showed
them how easy it was to get into their code. We'd be discussing how to fix
something, I'd have an "encrypted" copy "to see the behavior", they'd want me to
sign an NDA to see the source... I'd tell 'em what routine needed to be patched up
and how. "Huh, wha...the...f...?" Heh... Sad. Though, that revelation often gets
me a job exposing the valued algorithms from a VB6 DLL.