• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 559
  • Last Modified:

Application Password Security


I am currently looking to justify making some policy changes with my agency as far as passwords go. One of the main stumbling blocks is that we heavily utilize passwords in Excel 2000 Small Business spreadsheets. My take on this is that the passwords should be treated no differently than any other type of password, in that they should be changed at least quarterly. The IT manager ran a demo version of a brute force crack against one of the passwords for a couple of days and came up with nothing, so this was assumed to mean that the passwords are secure enough to NOT warrant any change in policy. I'm wondering if someone knows of any articles (pen test results would be great) of successful cracks against this type of security mechanism that I may bring to management in order to assist me with my case.

Thanks for any info/links you may provide.
1 Solution
Daniel Van Der WerkenIndependent ConsultantCommented:
I don't believe Office document passwords are very secure at all.  In fact, anyone should be able to browse the Internet and download a copy of a program that will "recover" lost passwords easily.  Check out:  http://www.lostpassword.com/

Does PassWare "crack" your Excel sheets with ease?  I would think so.

I think your best bet is to store the files using some sort of Encrypted File System rather than plan to rely on the password protection of the application itself (such as Excel's password functionality).

Yeah, Office password, visio, Winzip, Etc...etc.. are not secure at all..  Brute force hacking them is already something much more complicated then what really must be done to uncover them..

just check out this company, they make several software that can discover various password with a single click, and no headaches... (including Lotus / Office / windows / etc.. password)

Changing the password 2-3 times per year, will stop some very basic users from opening the files.. and you probably already have NTFS permissions on the folders containing these files.

You might want also to use Windows EFS to protect your files.. But you have to be cautious using EFS.. you could be loosing your stuff.. it's like a 2 edged sword.. and ELCOMSOFT does a software that bust EFS in about 10 sec.

What is best for you is using Layered security.
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Rich RumbleSecurity SamuraiCommented:
The password's to OPEN a document are more secure than any of the other in office documents... you can see why with this article
Baically, if you use any password portection, besides the pass to open, you have the potential for collision's- meaning that if you set the password to VelvetSweatShopp then no password is required, as these other types of passwords use XOR'ing- and if you XOR the "secret" that all the passwords are XOR'd against, it cancles itself out. So velvetsweatshop is the secret that M$ XOR's all the office password's against (except the pass to open) so if you put velvetsweatshop in the password to modify for example, you'll never be prompted for a pass when you try to modify. If you set the pass to something like "test" elcomsoft might return "x0rtha" as a password that will work, even if that's not the pass you used, because of the collision. (that's an example... x0rtha probably wont' work)
ElcomSoft products find these sort's of collisions instantly.
If your dictionary is good, you can crack many password very quickly- or within a few days. Elcomsoft has a nother unique product that basically finds all possible hash's for excel passsword's to open, and you can distribute this utility across many boxes and find the pass in minutes, no matter what, it will exhaust all possible combinations. This is very much like RainBow Crack that does the same thing for LanMan hash's.

Winzip is better than office passwords (even the pass to open), but not for long since there are flaws in the SHA1 algorythm, but winzip is now using AES I believe. http://winzip.com/wzdaes.htm (the compatible encryption is SHA1)

EFS also has it's flaws, please see my many post's on the subject:

Again, I employ all of Elcom's software, it is superior in my opinion to all the others I've used. Some do things just as well, but I've found nothing better thus far- but I am always looking.

Here are some policies that you may be interested in, and you can come up with a very formal and professional document. These are great- the one your looking for in your immediate needs is the Acceptable Encryption Policy and perhaps some of the others.

Something that you may want to switch your focus on, or add into your research- is securing the data from being accessed by those who may want to crack these doc's ... make sure you have all the auditing you can muster. EFS can work, as well as PGP, however PGP suffers from none of the same flaws that M$ has deliberatly built-in to EFS.

Dan7el > I don't believe Office document passwords are very secure at all.  

The solution I think is to trust your employees to perform the positions they are entrusted to, assign them to categories, groups of common access rights, and segregate the data based on access rights.  This way you use the same OS ID/psw combination, making it easier for users to manage as well as for admins.  As such, the users are more apt to better secure their passwords, and frequency of change. Give them too many and they'll  end up reducing your level of security just to get the job done.

You may need to assess how many documents really do not need much secrecy, and still use some additional protections should you have to mave documents around a lot.  But really, even when corporations share their secret documents, the secrecy is more like a hand-shake agreement than a new-fangled form of undecipherable encryption. Passwords can get in the way of conducting good business.

Try to revist with this the local policy for hardcopy.  Which printed documents get shredded to what degree?   Data handling is similar.
I would start right here:


Windows Rights Management Services: Helping Organizations Safeguard Digital Information from Unauthorized Use


The dramatic rise in cyber crime and the emergence of related new legislative requirements point to the need for better means to protect digital information. While organizations such as financial institutions, government agencies, healthcare organizations, and professional services firms address many security concerns adequately, their strategies usually focus on access and delivery of information. To augment perimeter-based (firewalls, repositories) or transport-based (encrypted delivery) security technologies, there is a need to better protect information after it has been accessed by or delivered to an authorized individual, helping to prevent sensitive information from intentionally or accidentally getting into the wrong hands.

This paper discusses Microsoft Windows® Rights Management Services (RMS) for Windows Server 2003 and related technologies. RMS is information protection technology that works with RMS-enabled applications to help safeguard digital information from unauthorized use—both online and offline, inside and outside of the firewall.

Anything else is just unprofessional exspecially if you use winzip and the user forgets the passwords "AES" have fun breaking ... .

celcius233Author Commented:
Wow...great answers everyone. I too, am in favor of layered defenses. However, my current situation lies more with organizational resistance to change.  I'll put it to you this way...they have NO password policy, and anyone with a standard set of dictionary cracks could probably own the majority of passwords in about 5 minutes. I'm beginning to think a demo in one of our manager's meetings of a crack and how simple it is given our current situation, versus complex passwords changed on a 90-day minimum rotation would help.
Yeah, a Demo would be a great thing...

what you could do is get a software like Cain and Able.. (like LohptCrack but free). Import your user database password hash in a text file, import it in the software, use a huge wordlist.. (or multiple one using common name, locations, cities, object, etc..) and BAM, you get about 75% of all password of your corporation.

Cain and able can be used for password compliance verification, security testing of your network.. it Can be legal or illegal, depending on the way  you use it.

here is the link:

here is a good list of dictionnaries/wordlist

to dump your pw hash in a text file, use pwdump4.exe, i'll let you find it in google.. there are also other version of pwdump around.

I dont remember if the software does Office password testing tho..
Rich RumbleSecurity SamuraiCommented:
Unfortunatly office passwords have no expiration, you'd have to set some sort of reminder- and you'd basically be reminding yourself to change all passwords on all files the same day...
If you want to break NT passwords it's easy too JohnTheRipper runs much faster than L0pht crack on a M$ box, and faster still on a linux box. The Sans Instituite policy page has probably everything you need to make formalized policies, and are easily customized with find&replace. Ohh yeah, Pwdump3 and Pwdump3v2 (google for the zip files- pwdump2v3.zip and you'll locate them quickly) you must be admin to dump the hashes. If they've never seen how fast NT passwords can fall, this will open their eyes very wide. AOPB from elcomsoft, and the dictionaries from purdue.edu can make short work of office pass's to open: http://ftp.cerias.purdue.edu/pub/dict/
Richrumble : Hey, were you reading my mind? :)
Rich RumbleSecurity SamuraiCommented:
:) but I typo'd google for pwdump3v2.zip (not pwdump2v3)
And now I have to write a snort rule to detect pwdump4... and since it's easier to rename I'm going to have to find something very unique in a tcpdump to detect it reliably. Thanks for the info on the new version.
Probably the version is written somewhere in plain text in the hex code....
Rich RumbleSecurity SamuraiCommented:
Got the signature, and even submitted it to mcafee to add to their list of possible "unwanted programs". Mcafee detects all the previous variants of pwdump and ntdump, they did not detect this one- yet.
The snort sig is:
50 57 44 75 6d 70 34 2e 64 6c 6c 00 47 65 74 48 61 73 68  PWDump4.dll.GetHash  <--- this is the unique string I needed- even if the dll and exe are renamed, this is seen in a dump

alert tcp any any -> $HOME_NET 139 (msg:"BLEEDING-EDGE Pwdump4 Session Established GetHash port 139"; content:"|50 57 44 75 6d 70 34 2e 64 6c 6c 00 47 65 74 48 61 73 68|"; flow:to_server,established; classtype:suspicious-login; sid:99999990; rev:1;)
alert tcp any any -> $HOME_NET 445 (msg:"BLEEDING-EDGE Pwdump4 Session Established GetHash port 445"; content:"|50 57 44 75 6d 70 34 2e 64 6c 6c 00 47 65 74 48 61 73 68|"; flow:to_server,established; classtype:suspicious-login; sid:99999991; rev:1;)

sorry- off topic.

Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now