I am currently looking to justify making some policy changes with my agency as far as passwords go. One of the main stumbling blocks is that we heavily utilize passwords in Excel 2000 Small Business spreadsheets. My take on this is that the passwords should be treated no differently than any other type of password, in that they should be changed at least quarterly. The IT manager ran a demo version of a brute force crack against one of the passwords for a couple of days and came up with nothing, so this was assumed to mean that the passwords are secure enough to NOT warrant any change in policy. I'm wondering if someone knows of any articles (pen test results would be great) of successful cracks against this type of security mechanism that I may bring to management in order to assist me with my case.
Thanks for any info/links you may provide.