This password specifically refers to "Password to Modify" and Excel 2019 / 365 clearly warn in the reenter password popup:
> Caution: Password to modify is not a security feature. ... Malicious users can edit the file and remove the password.
This type of "protection" is also present in the VBA blobs (where you can change a few bytes and work around the VBA protection)
Saving a file with a password to open actually employs encryption. The exact setting can be tuned with registry settings, but is typically AES-128-CBC.
Saving a file as "read-only" encrypts the file with the standard password "VelvetSweatshop"
Note: this is only for write protection passwords. Files that require a password to read are actually encrypted. I think any password that would prevent editing but allow reading would necessitate a fairly complex digital signature management scheme for data provenance (which might be useful in some settings).
Some «security» features dont need to be secure. This is obviously one of those as the data is readable by all, but only modifiable by «those in the know», but if someone does anyway who cares.
I’ve done hardcoded frontend identity whitelists for authorization. Some times it’s fine to let hackers access stuff, but not the vanilla mass-market browsers. Feature flags etc
Actually, I think this one is better if it isn't perfectly secure. I make spreadsheets with passwords just so people won't go in there and accidentally delete something or make other silly mistakes. I'm not trying to hide anything or keep it safe from the outside worldor anything. Every once in a while I forget one of the passwords or set it up with a typo or something, and I have to crack it. I'm sure there's loads of people doing something similar. For me, the weak security on this particular password is a feature.
Reading through it quickly, it looks like this is for files that are available to read, but write-protected? Not read-protected documents like a password protected Excel workbook?
A modern read-protected Office document is AES encrypted, so you cannot read those at all. But the read-only one, much like PDF do-not-print/do-not-copy protections, is just relying on the viewer to honor the protection marker.
Nice. In older versions of xlsx they used a weird hash function with tiny hash space that could be brute-forced in <1s. There were some VBA code snippets circulating and in my old team where we had to deal with a lot of such files we all had a script as a shortcut in the Excel toolbar.
I knew about the xml trick, but I could never get it to work consistently. This looks useful, thanks for sharing.
I know this may be slightly off topic as this specifically deals with the modify, not the access password. But Office for Mac still limits access passwords to 15 characters, my understanding is that this is a significant weakness for documents saved from Office for Mac. Does anybody have any insights into how big of an attack vector this actually is?
Me too : I wrote a few lines of Python for my personal use, to remove docx write protection, and a few other useful stuffs e.g. changing author names, shrinking the size of the document by converting .png/.emf to .jpg, etc. The function for removing the write protection is very short :)
=> I wrote it for my personal use and for a few friends, and it is unfinished and not very well written, but if it can be useful to others, my little tool is here https://github.com/karteum/Doctool
> Caution: Password to modify is not a security feature. ... Malicious users can edit the file and remove the password.
This type of "protection" is also present in the VBA blobs (where you can change a few bytes and work around the VBA protection)
Saving a file with a password to open actually employs encryption. The exact setting can be tuned with registry settings, but is typically AES-128-CBC.
Saving a file as "read-only" encrypts the file with the standard password "VelvetSweatshop"