Solved

How good is Excel security

Posted on 2000-04-13
48
287 Views
Last Modified: 2008-03-10
Is Excel secure ? I mean can I make some macros on some buttons and then allow a user to use the spreadsheet but not to be able to edit the code or see it. I know I'd do this using passwords but where abouts do I set them. Also are there any ways how people can hack around Excel security ? By the way I'm using Excel 97.
0
Comment
Question by:pilch67
  • 16
  • 12
  • 5
  • +4
48 Comments
 
LVL 17

Accepted Solution

by:
calacuccia earned 50 total points
ID: 2711574
Hi Pilch67,

Where to set pass-words:

1/ On the sheets of the workbook, as you probably know, Tools/Protection/Protect Sheet to protect sheet from modifying/style change....
2/ The VBA Modules and macros can be protected as one. In the Visual Basic Editor (Hit Alt+F11 to open), look in the left-top explorer tree for VBAProject(MyFile), right-click, select 'VBAProject properties...' and go to tab 'Protection'.
Check the box 'Lock Project for Viewing' and enter password(s)
Now the code will not be visible, neither editable
3/ Security level
As long as you don't use simple passwords, like 'Pass' or passwords obviously linked to you (e.g. your name), you can increase the security by using numbers, random letters, making Case changes (e.g. fgRseY25fRtr), and use a minimum number of characters (e.g. 8)
The program can always be hacked, but it will take enormous long times with special utilities to crack these kind of passwords.

Hope this helps
Calacuccia
0
 
LVL 9

Expert Comment

by:antrat
ID: 2711585
Hi pilch67

While in the VBE go to Tools>VBA Project Properties and then select the "protection" Tab and tick the "Lock Project for viewing" Tab and enter a password twice. Use a long password(up to nine characters, I think) that is a mix of upper and lower case and numeric. Then save and close Excel, then re-open and yoyur code cannot be seen or edited.

antrat
0
 
LVL 17

Expert Comment

by:calacuccia
ID: 2711596
:-)
0
 
LVL 9

Expert Comment

by:antrat
ID: 2712121
:-(
0
 
LVL 1

Expert Comment

by:Chrynoble
ID: 2713559
There are several hack programs designed specifically for excel and excel's vba.

If you are storing matters of national security I would find another way.

If you are looking just to keep the guy in the next cubical over out, you should be ok.
0
 
LVL 9

Expert Comment

by:antrat
ID: 2714336
chrynoble

I agree in part with what you say, but as mentioned by myself and Calacuccia if the password set is 8 characters long and a mix of upper and lower as well as numeric then it would take one of these "hack programs" weeks or longer to try and get in.


antrat
0
 
LVL 6

Expert Comment

by:Marine
ID: 2720613
I wouldn't say it would take that long. I don't know about excel but i had a program that cracks Access password under 3 seconds with encryption. Giving that Excel is a COM object i would say that they are using same model therefore cracking Excel security would be just as an easy as it was in Access.
0
 
LVL 1

Expert Comment

by:Chrynoble
ID: 2720744
I have a program that took about 10 seconds to crack a 9 character mixed case password. It didn't have numbers, but I can't imagine that would add weeks to the crack.
0
 
LVL 9

Expert Comment

by:antrat
ID: 2721386
I would like to see this. Can I send you a Excel workbook that is password protected and have you try to open it? I would like to offer this as friendly challenge :)


antrat

0
 
LVL 1

Expert Comment

by:Chrynoble
ID: 2723103
I can try it and see sure.
Chrynoble@hotmail.com
0
 

Author Comment

by:pilch67
ID: 2730256
Thanks for your help guys. I have put passwords on my spreadsheet now. Chrynoble, could you send me the hacking program that you mentioned ( if it's not too big ) as I'd like to see it for myself. I'd appreciate it. Could you also send the Access hacking prog aswell as I have a few Access dbs that I thought were quite secure up until now !

TIA.
0
 
LVL 6

Expert Comment

by:Marine
ID: 2730269
LOL :) Not at all as i said in my comment i had it password protected and encrypted that thing cracked in a few seconds. There are a few sowftaware packages that allow you a better protection i dont have teh names right now.
0
 
LVL 9

Expert Comment

by:antrat
ID: 2730300
I sent Chrynoble as Password protected file 2 days ago for Him/her to open and too date I have heard nothing.

pilch67 when you Password protect your file use a password like 8Hy4Qa9mZ. I think you will find it takes considerable longer than 3 seconds :)

antrat
0
 
LVL 1

Expert Comment

by:Chrynoble
ID: 2730883
Antrat,
  Sorry for the delay. Here is what I have found. The program I have is for cracking VBA passwords when protect the project. It cracked a 9 character mixed case, no numbers password in about 10 seconds.

   The program I got yesterday from the same company is having more trouble with the open password. Here are the results

# of char in pw
1: 450 ms
2: 1 s
3: 15 s
4: 30 M
5: 1.5 days
ect...

   So... I did some research and found that Excel, and presumably other office programs, encrypts the main or open password for a document, but not the internal ones like sheet protection, and vba protection.

Antrat is somewhat right, it will take me more than 1 week to crack the test he sent me. If it didn't include numbers, mixed case, and symbols it would take a lot less time.
Also the dictionary crack is good, so don't use words that could be found in a dictionary.

On the same note, I will be able to crack this password.

The name of the program is Advanced Excel Pasword Recovery.
You can get it at www.elcomsoft.com
0
 
LVL 1

Expert Comment

by:Chrynoble
ID: 2730897
Antrat,
  Him by the way.  :)
0
 
LVL 9

Expert Comment

by:antrat
ID: 2732977
Hi all

I have tried the elcomsoft password recovery before it is very handy for getting into password protected areas that have one word passwords like "sausage" as even "ausaegs" as there are only 26 letters in the Alphabet. Sounds easy doesn't it, but remember that you can have any combanation of those letters and that is a HUGE number. I think to work it out you use 1*1=1 ,1*2=2, 2*3=6, 6*4=24, 24*5=100, 100*6=600, 600*7=4200, 4200*8=33000, 33000*9=302400. by the time you get to 26 you have god knows how many zeros.

Now if you add uppercase you then would have to keep going until you reach
52 and...well I would interested to see the result. So if we now add 10 numbers i.e 0-9 you would have to start off multiplying that out of this world number by 2 and then that result by 3 and so on.

So you can see even by adding just one more variant we have to double a already mega huge number.

Here's a story you may have already heard. A peasant once asked a mean tyrant 'if he let the king have his way for just one night with his wife all he would ask for in return is to place 1 penny on the first square of a chess board and keep doubling on each succesive square'. The king thought no problem there are only 64 squares, can't end up being much. To find the result try it yourself.


antrat
0
 

Expert Comment

by:stubbs
ID: 2763054
When you password-protect a VBA project, no actual encryption is done to the project, so the password isn't even needed if you have a program that can go into the file and read the macro on its own.
0
 
LVL 9

Expert Comment

by:GivenRandy
ID: 2783415
No, Excel is not very secure.  There are cracking programs which find passwords in quick order (I use it to impress co-workers, not to snoop on them).
0
 
LVL 9

Expert Comment

by:antrat
ID: 2784782
GivenRandy

Is this the only way you can get points i.e by jumping in with a load of crap just before a question is auto-deleted. Your so called "cracking programs" would not get into a file with a 9 character mix of upper case and lower case and numeric values.

I Have sent files before with passwords like above to people like you and they cannot get into them. Just ask Chrynoble I sent one to him 4 weeks ago and he still hasn't cracked it.

antrat

P.S your name has been mentioned in the Lounge before about this sort of crap.
0
 

Expert Comment

by:stubbs
ID: 2784879
antrat:
It has nothing to do with the length of the password or whether you use a mix of upper and lower-case. If you password-protect the VBProject, no actual encryption is done to the VB Project. If you want me to prove it, create a module in Excel's VB Editor, and put some sort of secret word or something so I can prove that I was able to see it. Password protect it like calacuccia said in his first reply with as long of password as you'd like and I'll still be able to tell you right away what the secret word in the VB Module was.
0
 
LVL 9

Expert Comment

by:GivenRandy
ID: 2784897
>Is this the only way you can get
>points i.e by jumping in with a load
>of crap just before a question is
>auto-deleted.

For your information, Mr. Uninformed, I have NOT received a SINGLE point that way.  This is a WAKE UP call to askers who sit on questions.  It worked, didn't it.

>P.S your name has been mentioned in
>the Lounge before about this sort of
>crap.

Really?  Please provide URLs.  LOL.

0
 
LVL 9

Expert Comment

by:antrat
ID: 2785340
The first question BY YOU!! at the top is from the lounge as is exactly the sort of crap I was talking about
 <Hands givenrandy a towel so he can wipe the egg off his face>

I'll spell this out for you, the "Wake up call" is the very reason EE sends out e-mails to all that have PARTICIPATED in the question (no this does not include you)so they realise it is going to be auto-deleted.

The idea of playing on EE is to be ARWARDED points for helping out someone in need of an Experts knowledge. Not scrounging through Q's that are about to be auto-deleted like a crow at a rubbish tip and getting points anyway possible.

Looking at you last 10 grades recieved (a lot of D's), are you sure you haven't recieved points this way before?

If you can kid yourself into thinking you can EARN points this way this is probaly all wasted on you.


From: GivenRandy  Title: "1100 "Unanswered" in VB"  Points: 0  
Status: Pending deletion
 Date: Saturday, May 06 2000 - 04:36AM WST    
1100 "unanswered" questions in VB?  I think not.  Probably half of those are unclaimed points.  Others have mentioned this problem here, but what can we do about it.  

Do we all have to dig through and see which ones of ours would be "answers" and then answer them again?

 
Question History  
Comment  
From: nfroio
 Date: Saturday, May 06 2000 - 05:43AM WST  
Just run through all of them and just keep hitting the answer button, it'll either wake up the original questioner, or the person who had the right answer, and if nothing happens, then it will be like when you find a wallet and turn it in at the Police Station, if no one claims it in 30 days, its yours, ie, AutoGrade (if working) will give you many, many points later down the line, and the VB area will be uncluttered again.

:-)
 
****************************************

From: mount_diablo
 Date: Thursday, April 27 2000 - 03:47AM WST  
The worst ones I have seen is when someone posts an anser with the the intent of either getting autograded for points, or having a less discerning questioner grade it by accident.

Points Please?

(anyone remember that one?)
****************************************

 From: GivenRandy  Title: "Taking Answers Without Giving Credit?"  Points: 0  
Answer Grade: A  Date: Monday, April 24 2000 - 09:05PM WST    
How can we reduce / eliminate cases where people take the answers but do not give credit (i.e., grade) for them?  This happens when people reject answers that are spot-on correct or when people take the answers but never respond to them.
****************************************
 Rejected Answer  
From: GivenRandy
 Date: Monday, May 01 2000 - 09:45AM WST  
The answer is:

730: Control "Hehe" not found

---

The penultimate answer is:  42 (of course).

 
Comment  
From: ameba
 Date: Tuesday, May 02 2000 - 12:40AM WST  
GivenRandy,
It is great if you solved this puzzle, congratulations.

But, it was first solved (in VB topic area) by expert angelIII and points are for him or for expert Ark.

Since Ark didn't respond for points, angelIII please answer to make this a PAQ.

Thanks

 
Comment  
From: GivenRandy
 Date: Tuesday, May 02 2000 - 12:45AM WST  
If angelIII does not respond, I'm next in line.
*****************************************
 
0
 
LVL 9

Expert Comment

by:antrat
ID: 2785360
Stubbs,

I would be glad to send you a file that is password protect to see if you can get in. But if I do could you please come back with the good or bad news as I have done this before and had no feedback which I see as, they cannot open it.


antrat
0
 

Expert Comment

by:stubbs
ID: 2785395
Ok, you can e-mail me at c.stubbs@bc.sympatico.ca
Remember, I'm not necessarily going to give you the password for the workbook, just showing that I can discover the contents of the VB Project without even needing the password.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 9

Expert Comment

by:GivenRandy
ID: 2785588
About the D grades.  It all depends on the asker!!!!!  Take a look through the answers I gave.  For example, I just got a D on one.  If you look, you will see that a nearly IDENTICAL solution got an A!!!  Why did I get a D?  Huh?
0
 
LVL 9

Expert Comment

by:GivenRandy
ID: 2785591
By the way, NO I have not received any AutoGraded points.  I have only been on here 23 days!
0
 
LVL 9

Expert Comment

by:GivenRandy
ID: 2785602
Your list of posts does not answer my question (why am I not surprised).  Have I done some cases of answering like this?  Of course, and I have stopped doing it as well.  That is all your postings is documenting.

However, you said that I had been blacklisted on The Lounge.  I don't recall that.  I asked for evidence, but you provided none.  The comments you posted where indirect or not applicable.

By the way, I did NOT know that there are messages when things are going to get Auto-Deleted.  That is good.  Still, how does that resolve the problem of the original asker not accepting an answer?  Does the first person that gets the Auto-Delete message choose if HE should get the points?  If not, then the next person?
0
 
LVL 9

Expert Comment

by:GivenRandy
ID: 2785626
Again, NONE of my points have been gained from the Auto-Grading.  I also asked for a way to see which questions I have answered.  Looks like none exists yet (according to board operators).  Others will be cleaned up as they occur.  

Another point about the grading.  I think many people respond by looking at a persons position.  This happens in "real life", too.  For example, if a "rocket scientist" says something, it must be like awesome.  If a philosophy college student says the exact same (correct) thing, people ponder and question it.  Same here.  If someone with 100,000 points says it, then it must be true.  If someone with 4,000 points says it (or 0 points!), we tend to down-grade it.

Just had that yesterday.  Two "geniuses" (100,000+) points, I think they were, said something could not be done.  I showed how it could!  Let's see what grade I get.  I bet it is lower than what they would have received.  In fact, I would not be at all surprised if it were another D.  Why?  That's just how SOME people are.
0
 
LVL 6

Expert Comment

by:Marine
ID: 2785683
I agree with Randy on this one. Lots of times someone who has more points then you will get the call. This is just how some people are. I was answering a question once with wsh2. Cool guy. We then joked a little and the questioner insulted us and refused to give us the points. Then when another person came in and said what we have already said he raised the points value and gave him the points. We talked to EE and they awarded us the points later. So , i wouldn't judge Randy i think he knows his stuff.
0
 
LVL 9

Expert Comment

by:antrat
ID: 2786717
Marine
The only thing I'm judging "Randy" on is his behavour here nothing more.


givenrandy don't change the subject! I could not careless about your feeble excuses for so many D's.

It is irrelevant who should get the points. The fact is it should only be someone who has given some PREVIOUS ORIGINAL advise or someone new who provides some new relavant advise or better still an answer. All you are doing is trawling through questions that are about to be auto-deleted and trying to get some points for nothing.

 Most of us here on EE take pride in the answers we give and have EARNED every point we have, don't you have any pride man? when I recieved the e-mail from EE saying this question was going to be auto-deleted I came back to jog my memory and saw that I had provided a partial answer but was beaten by Calacuccia (who if anyone should get the points)and decided to let it slide as it would not be in the spirit of EE to take the points.


Your little caper could potentialy GIVE (not earn) you thousands of points and take you past someone that has earned every point they have. But that probaly does not bother you does it?


"However, you said that I had been blacklisted on The Lounge."

good idea, but no I did not say any such thing.
"P.S your name has been mentioned in the Lounge before about this sort of crap"
Is what I said.
My point which you missed entirely is that you said

"How can we reduce / eliminate cases where people take the answers but do not give credit (i.e., grade) for them?  This happens when people reject answers that are spot-on correct or when people take the answers but never respond to them."

re-read that first sentence then read this.
 where people take the credit for answers but do not give answers.


antrat

 





0
 
LVL 9

Expert Comment

by:GivenRandy
ID: 2786731
Apparently you aren't reading what I wrote and only want to believe what you want to (e.g., my "excuses").

Who said "you can't argue with an idiot".

My points have been earned, too.  Many missed points were earned as well.  

Wake up and smell reality.  If you really need to hate someone, it shouldn't be a "nobody" like me....
0
 
LVL 9

Expert Comment

by:GivenRandy
ID: 2786734
To re-iterate, none of my points have come from auto-grading.  In addition, I have not done any new trolling for points and cleaned up old ones.  I sleep at night.  Maybe you should try it.  You can still hate me, if it helps.  If it does help, please send some points my way.  :)
0
 
LVL 9

Expert Comment

by:antrat
ID: 2786787
I will rest in the knowledge you will never be an "expert" but simply a seagull scavenging for points.

Bye Bye seagull :O)

antrat
0
 
LVL 9

Expert Comment

by:GivenRandy
ID: 2786805
Hey, if you really want to be helpful, tell me if you find any of those "scavenged" posts of mine.  I think I undid the few I had.

I feel good that all my points are earned and will be.  Too bad if your blind hate blinds you to that.

As for "expert", I have 5000 EARNED points in less than a month.  In almost 18 months you only have 70900.  My rate is 60% faster than yours.  And it is getting harder to get points with more people trying for them (i.e., in case you don't understand, it was easier then and you still have not made Genius level).
0
 
LVL 9

Expert Comment

by:antrat
ID: 2786818
Yeah, at this rate your last 10 grades recieved will be DDDDDDDDDD in no time.

LOL
0
 
LVL 9

Expert Comment

by:GivenRandy
ID: 2786898
Could be -- but that won't be MY fault.  Duh, you still are being thick-headed.  Did you read my post?  Did you read Marines?  Did you read the dozens of similar complaints (which you prefer to call excuses) by long-time experts?

Guess you see only what you want to.  Glass houses are nice.
0
 
LVL 9

Expert Comment

by:antrat
ID: 2786944
Who are you trying to convince randy, me or yourself .You do go on don't you, your as persistent as a D10. LOL

How could I possibly hate you randy I haven't laughed like this for a while, your making my day. :O)

antrat

0
 

Expert Comment

by:stubbs
ID: 2788124
antrat:

I received your test file.

The contents of Macro1 are:

Public Sub YouDidIt() ':O)
'run me to see the secret word

End Sub


The contents of UserForm1 are:

Private Sub UserForm_Initialize()
Label1.ForeColor = &H80000012
Label1.Visible = True
End Sub

The contents of ThisWorkBook are:

Private Sub Workbook_SheetBeforeRightClick(ByVal Sh As Object, ByVal Target As
Excel.Range, Cancel As Boolean)
Cancel = True
End Sub



0
 
LVL 17

Expert Comment

by:calacuccia
ID: 2790278
GivenRandy

>For your information, Mr. Uninformed, I have NOT received a SINGLE point that way.  This is a WAKE UP call to askers who sit on questions.  It worked, didn't it.

What worked? I have seen no dign of Pilch67 that he/she's still alive.
0
 
LVL 9

Expert Comment

by:antrat
ID: 2790629
Stubbs
I stand corrected :)


Calacuucia
LOL


antrat
0
 
LVL 9

Expert Comment

by:GivenRandy
ID: 2790631
True, true.  Anyhow, I don't do that any more.  Calacuccia, I also left a comment on the other thread.  If you find anymore, please let me know.  I'll give 10 points per incident with a guaranteed "A" answer.
0
 

Author Comment

by:pilch67
ID: 2795886
Wow. I've just got back off holiday to see 20 or so e-mails about this question. Sorry about the delay I know it can be frustrating.
I don't know who deserves the points here ... maybe Calacuccia or antrat I don't know. Who do you think deserves it ?
0
 
LVL 9

Expert Comment

by:antrat
ID: 2796037
Yeah sorry about that pilch67,  we got a wee bit sidetracked, anyway it makes for a good laugh if nothing else.

 As for the points well..... I was proved wrong by Stubbs. It seems password protecting the VBE is not quite the same as password protecting the file itself. So on that note I would say I'm ruled out :)

antrat
0
 
LVL 17

Expert Comment

by:calacuccia
ID: 2796930
Hi Pilch67,

If satisfied with the offered security, you should accept my first comment( remember that the modal user will never get past these pass-words).

If not, award Stubbs, Chrynoble or Antrat for their efforts to proove the level of security/non-security.

Calacuccia
0
 

Author Comment

by:pilch67
ID: 2799776
Cheers
0
 
LVL 9

Expert Comment

by:GivenRandy
ID: 2800704
antrat wrote:

>Yeah, at this rate your last 10 grades
>recieved will be DDDDDDDDDD in no
>time.

Look what 4 days will do:

B A A A A A A A A A

That still doesn't rule out the possibility of someone being "ungrateful" or just plain rude.

Good wishes to all.  By the way, I think calacuccia's answer is right-on and did deserve the points.  When I said it is not secure, I meant in a stringent mode.  For 99.995% of the people, calacuccia's solution is all they need.
0
 
LVL 17

Expert Comment

by:calacuccia
ID: 2800738
Keep going GivenRandy. You're back on track ;-)
0
 
LVL 9

Expert Comment

by:antrat
ID: 2803211
Way to go GivenRandy, there's no need to cheat is there?

antrat
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

This article will guide you to convert a grid from a picture into Excel format using Microsoft OneNote and no other 3rd party application.
My experience with Windows 10 over a one year period and suggestions for smooth operation
The viewer will learn how to use the =DISCRINV command to create a discrete random variable, use this command to model a set of probabilities and outcomes in a Monte Carlo simulation, and learn how to find the standard deviation of a set of probabil…
Learn how to create and modify your own paragraph styles in Microsoft Word. This can be helpful when wanting to make consistently referenced styles throughout a document or template.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now