Application Password Security

Posted on 2005-03-01
Medium Priority
Last Modified: 2008-01-09

I am currently looking to justify making some policy changes with my agency as far as passwords go. One of the main stumbling blocks is that we heavily utilize passwords in Excel 2000 Small Business spreadsheets. My take on this is that the passwords should be treated no differently than any other type of password, in that they should be changed at least quarterly. The IT manager ran a demo version of a brute force crack against one of the passwords for a couple of days and came up with nothing, so this was assumed to mean that the passwords are secure enough to NOT warrant any change in policy. I'm wondering if someone knows of any articles (pen test results would be great) of successful cracks against this type of security mechanism that I may bring to management in order to assist me with my case.

Thanks for any info/links you may provide.
Question by:celcius233
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 20

Expert Comment

by:Daniel Van Der Werken
ID: 13430066
I don't believe Office document passwords are very secure at all.  In fact, anyone should be able to browse the Internet and download a copy of a program that will "recover" lost passwords easily.  Check out:  http://www.lostpassword.com/

Does PassWare "crack" your Excel sheets with ease?  I would think so.

I think your best bet is to store the files using some sort of Encrypted File System rather than plan to rely on the password protection of the application itself (such as Excel's password functionality).

LVL 15

Expert Comment

ID: 13430199
Yeah, Office password, visio, Winzip, Etc...etc.. are not secure at all..  Brute force hacking them is already something much more complicated then what really must be done to uncover them..

just check out this company, they make several software that can discover various password with a single click, and no headaches... (including Lotus / Office / windows / etc.. password)

LVL 15

Expert Comment

ID: 13430246
Changing the password 2-3 times per year, will stop some very basic users from opening the files.. and you probably already have NTFS permissions on the folders containing these files.

You might want also to use Windows EFS to protect your files.. But you have to be cautious using EFS.. you could be loosing your stuff.. it's like a 2 edged sword.. and ELCOMSOFT does a software that bust EFS in about 10 sec.

What is best for you is using Layered security.
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 38

Accepted Solution

Rich Rumble earned 750 total points
ID: 13430718
The password's to OPEN a document are more secure than any of the other in office documents... you can see why with this article
Baically, if you use any password portection, besides the pass to open, you have the potential for collision's- meaning that if you set the password to VelvetSweatShopp then no password is required, as these other types of passwords use XOR'ing- and if you XOR the "secret" that all the passwords are XOR'd against, it cancles itself out. So velvetsweatshop is the secret that M$ XOR's all the office password's against (except the pass to open) so if you put velvetsweatshop in the password to modify for example, you'll never be prompted for a pass when you try to modify. If you set the pass to something like "test" elcomsoft might return "x0rtha" as a password that will work, even if that's not the pass you used, because of the collision. (that's an example... x0rtha probably wont' work)
ElcomSoft products find these sort's of collisions instantly.
If your dictionary is good, you can crack many password very quickly- or within a few days. Elcomsoft has a nother unique product that basically finds all possible hash's for excel passsword's to open, and you can distribute this utility across many boxes and find the pass in minutes, no matter what, it will exhaust all possible combinations. This is very much like RainBow Crack that does the same thing for LanMan hash's.

Winzip is better than office passwords (even the pass to open), but not for long since there are flaws in the SHA1 algorythm, but winzip is now using AES I believe. http://winzip.com/wzdaes.htm (the compatible encryption is SHA1)

EFS also has it's flaws, please see my many post's on the subject:

Again, I employ all of Elcom's software, it is superior in my opinion to all the others I've used. Some do things just as well, but I've found nothing better thus far- but I am always looking.

Here are some policies that you may be interested in, and you can come up with a very formal and professional document. These are great- the one your looking for in your immediate needs is the Acceptable Encryption Policy and perhaps some of the others.

Something that you may want to switch your focus on, or add into your research- is securing the data from being accessed by those who may want to crack these doc's ... make sure you have all the auditing you can muster. EFS can work, as well as PGP, however PGP suffers from none of the same flaws that M$ has deliberatly built-in to EFS.

LVL 24

Expert Comment

ID: 13431931
Dan7el > I don't believe Office document passwords are very secure at all.  

The solution I think is to trust your employees to perform the positions they are entrusted to, assign them to categories, groups of common access rights, and segregate the data based on access rights.  This way you use the same OS ID/psw combination, making it easier for users to manage as well as for admins.  As such, the users are more apt to better secure their passwords, and frequency of change. Give them too many and they'll  end up reducing your level of security just to get the job done.

You may need to assess how many documents really do not need much secrecy, and still use some additional protections should you have to mave documents around a lot.  But really, even when corporations share their secret documents, the secrecy is more like a hand-shake agreement than a new-fangled form of undecipherable encryption. Passwords can get in the way of conducting good business.

Try to revist with this the local policy for hardcopy.  Which printed documents get shredded to what degree?   Data handling is similar.
LVL 27

Expert Comment

ID: 13434917
I would start right here:


Windows Rights Management Services: Helping Organizations Safeguard Digital Information from Unauthorized Use


The dramatic rise in cyber crime and the emergence of related new legislative requirements point to the need for better means to protect digital information. While organizations such as financial institutions, government agencies, healthcare organizations, and professional services firms address many security concerns adequately, their strategies usually focus on access and delivery of information. To augment perimeter-based (firewalls, repositories) or transport-based (encrypted delivery) security technologies, there is a need to better protect information after it has been accessed by or delivered to an authorized individual, helping to prevent sensitive information from intentionally or accidentally getting into the wrong hands.

This paper discusses Microsoft Windows® Rights Management Services (RMS) for Windows Server 2003 and related technologies. RMS is information protection technology that works with RMS-enabled applications to help safeguard digital information from unauthorized use—both online and offline, inside and outside of the firewall.

Anything else is just unprofessional exspecially if you use winzip and the user forgets the passwords "AES" have fun breaking ... .


Author Comment

ID: 13439281
Wow...great answers everyone. I too, am in favor of layered defenses. However, my current situation lies more with organizational resistance to change.  I'll put it to you this way...they have NO password policy, and anyone with a standard set of dictionary cracks could probably own the majority of passwords in about 5 minutes. I'm beginning to think a demo in one of our manager's meetings of a crack and how simple it is given our current situation, versus complex passwords changed on a 90-day minimum rotation would help.
LVL 15

Expert Comment

ID: 13439411
Yeah, a Demo would be a great thing...

what you could do is get a software like Cain and Able.. (like LohptCrack but free). Import your user database password hash in a text file, import it in the software, use a huge wordlist.. (or multiple one using common name, locations, cities, object, etc..) and BAM, you get about 75% of all password of your corporation.

Cain and able can be used for password compliance verification, security testing of your network.. it Can be legal or illegal, depending on the way  you use it.

here is the link:

here is a good list of dictionnaries/wordlist

to dump your pw hash in a text file, use pwdump4.exe, i'll let you find it in google.. there are also other version of pwdump around.

I dont remember if the software does Office password testing tho..
LVL 38

Expert Comment

by:Rich Rumble
ID: 13439422
Unfortunatly office passwords have no expiration, you'd have to set some sort of reminder- and you'd basically be reminding yourself to change all passwords on all files the same day...
If you want to break NT passwords it's easy too JohnTheRipper runs much faster than L0pht crack on a M$ box, and faster still on a linux box. The Sans Instituite policy page has probably everything you need to make formalized policies, and are easily customized with find&replace. Ohh yeah, Pwdump3 and Pwdump3v2 (google for the zip files- pwdump2v3.zip and you'll locate them quickly) you must be admin to dump the hashes. If they've never seen how fast NT passwords can fall, this will open their eyes very wide. AOPB from elcomsoft, and the dictionaries from purdue.edu can make short work of office pass's to open: http://ftp.cerias.purdue.edu/pub/dict/
LVL 15

Expert Comment

ID: 13439439
Richrumble : Hey, were you reading my mind? :)
LVL 38

Expert Comment

by:Rich Rumble
ID: 13439504
:) but I typo'd google for pwdump3v2.zip (not pwdump2v3)
And now I have to write a snort rule to detect pwdump4... and since it's easier to rename I'm going to have to find something very unique in a tcpdump to detect it reliably. Thanks for the info on the new version.
LVL 15

Expert Comment

ID: 13439554
Probably the version is written somewhere in plain text in the hex code....
LVL 38

Expert Comment

by:Rich Rumble
ID: 13440356
Got the signature, and even submitted it to mcafee to add to their list of possible "unwanted programs". Mcafee detects all the previous variants of pwdump and ntdump, they did not detect this one- yet.
The snort sig is:
50 57 44 75 6d 70 34 2e 64 6c 6c 00 47 65 74 48 61 73 68  PWDump4.dll.GetHash  <--- this is the unique string I needed- even if the dll and exe are renamed, this is seen in a dump

alert tcp any any -> $HOME_NET 139 (msg:"BLEEDING-EDGE Pwdump4 Session Established GetHash port 139"; content:"|50 57 44 75 6d 70 34 2e 64 6c 6c 00 47 65 74 48 61 73 68|"; flow:to_server,established; classtype:suspicious-login; sid:99999990; rev:1;)
alert tcp any any -> $HOME_NET 445 (msg:"BLEEDING-EDGE Pwdump4 Session Established GetHash port 445"; content:"|50 57 44 75 6d 70 34 2e 64 6c 6c 00 47 65 74 48 61 73 68|"; flow:to_server,established; classtype:suspicious-login; sid:99999991; rev:1;)

sorry- off topic.

Featured Post

Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever wonder what it's like to get hit by ransomware? "Tom" gives you all the dirty details first-hand – and conveys the hard lessons his company learned in the aftermath.
Check out the latest tech news, community articles, and expert highlights in August's newsletter.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question