How safe is a Microsoft Excel & Word 2010 password-protected document in the within a Zip file and stored in Cloud
We have a series of MS Excel/Word document in version Office 2010 which are: password-protected, zipped within a password-protected file and also stored in different cloud services. That is:
We have been seeing a whole bunch of apps that can "recover" MS Word documents that the password have been lost.
Based on what we have describe above, how safe are our documents to being cracked?
(obviously there is no 100% on anything with password; all is "crack-able", but wanted EE input)
Thanx in advance
The password are 12 characters long, all lowercase and one number.
Each document is compressed in a password-protected Zip v9.0 files
And finally, they are stored in
- Box
- Dropbox
- Google Drive
- iCloud Drive
- Mega
- OneDrive
We have been seeing a whole bunch of apps that can "recover" MS Word documents that the password have been lost.
Based on what we have describe above, how safe are our documents to being cracked?
(obviously there is no 100% on anything with password; all is "crack-able", but wanted EE input)
Thanx in advance
ASKER
What do you recommend?
If you want security then don't use an office program
In Excel you could hide all the sheets except one unused one using XLSheetVeryHidden. Protect the WorkBook - the workbook protection is harder to crack than sheet protection.
For both you could look at encryption, look at this page about half way down there's an encryption tool
Useful Tools
In Excel you could hide all the sheets except one unused one using XLSheetVeryHidden. Protect the WorkBook - the workbook protection is harder to crack than sheet protection.
For both you could look at encryption, look at this page about half way down there's an encryption tool
Useful Tools
What / who are you intending on protecting from?
Why are the files in so many places?
Who knows about the files?
Who needs access to the files?
Why are the files in so many places?
Who knows about the files?
Who needs access to the files?
ASKER
Maybe if we rephrase the question. By asking "How safe" as in our initial question, an obvious response would be "not very safe". So we would like to rephrase the "How safe" to "How long".
Ok, First: the password we use for these Excel/Word documents and the Zip apps is constructed as follows:
- 12 characters long
- all lowercase
- one number
For example, the password follows this format: 9chdiekamsoi
Then, we compress or zip the already password-protected document into a Winzip 9.0 using a password to the zip file; using 256-Bit AES encryption.
Finally, and rephrasing the question, if we password-protect our 2010 Excel/Word document, and also compressed the document with encryption in a Winzip 9.0 file, how long will it take regular joe who buys one of these "crack" programs to get the Winzip/Msoffice password (based on the construct above) in order to access the documents?
Hope this is more direct of what we want to consult.
If EE consider that we are going out of scope of the question, please advise if we should delete this question and create a new one for "How long".
Ok, First: the password we use for these Excel/Word documents and the Zip apps is constructed as follows:
- 12 characters long
- all lowercase
- one number
For example, the password follows this format: 9chdiekamsoi
Then, we compress or zip the already password-protected document into a Winzip 9.0 using a password to the zip file; using 256-Bit AES encryption.
Finally, and rephrasing the question, if we password-protect our 2010 Excel/Word document, and also compressed the document with encryption in a Winzip 9.0 file, how long will it take regular joe who buys one of these "crack" programs to get the Winzip/Msoffice password (based on the construct above) in order to access the documents?
Hope this is more direct of what we want to consult.
I think the scope of the question is still fine, upload a sample file... someone will tell you... :-)
Google tells me there are a LOT of tools to extract from locked zip files... here is one: http://www.peazip.org/extract-encrypted-files.html
A password on a Word file is like using dental floss as a bicycle chain...
My guess, total time less than 5 minutes.
A password on a Word file is like using dental floss as a bicycle chain...
My guess, total time less than 5 minutes.
On the other hand, you could encrypt the word document using something like veracrypt - but then you will need to decrypt at the other end... somewhat more complex.
https://veracrypt.codeplex.com/
https://veracrypt.codeplex.com/
Bah: my comment at 41507261 was ill informed... pea-zip came up as a tool for cracking password zip files, but does not seem to have that ability. Other tools use Brute Force Attacks etc. for zip files so that would take a much longer time...
For WinZip files it would probably come down to whether or not there is a known vulnerability - nothing obvious popped up in my searching, on the other hand, for word files a password does not mean much.
For WinZip files it would probably come down to whether or not there is a known vulnerability - nothing obvious popped up in my searching, on the other hand, for word files a password does not mean much.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
DrTribos:
So is it safe to say that if we encrypt an Office 2010 document then save it in an encrypt Winzip apps, both with similar password-format as described in ID: 41507251, our documents are pretty safe?
Huh.docx
as per request, uploaded a sample file with the password-format as described...
And yes, google says LOT of tools to extract from locked zip files (reason for our question
Also, veracrypt is not functional for us because we would have ta have the VC apps installed in every PC or mobile device we uses (and we think VC is not available for iPhone yet).
Now based on your entry in ID 41507289, we think we can assume that our docs are pretty safe from "regular joe" peeping in with one of these crack apps
That said, we google more and found info that Word & Excel 2010 uses AES, DES, DESX, 3DES, 3DES_112, and RC2 encryption (link https://technet.microsoft.com/en-us/library/cc179125.aspx#section1 and search for "2010" for 2010 version; sems to state the enctyption).
Also WinZip 9.0 using 256-Bit AES encryption when saving the compressed file (link http://www.winzip.com/aes_info.htm)
So is it safe to say that if we encrypt an Office 2010 document then save it in an encrypt Winzip apps, both with similar password-format as described in ID: 41507251, our documents are pretty safe?
Huh.docx
You could store the files on an encrypted Cloud storage service, such as AWS S3. S3 offers encryption at rest and in transit using either Client Side or Server Side encryption, take a look here: http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingEncryption.html
Cheers,
Stu...
Cheers,
Stu...
If you are using GAFW or O365, there are 3rd party extensions that let you encrypt with unique passwords at the file level. These meet pretty much any standard other than ITAR, so you are covered for PCI, HIPAA, PHI, S/Ox, PII, etc.
For on premise, look at disk level encryption tools.
For on premise, look at disk level encryption tools.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you very much!!!
With your input we have concluded that we are in the right track (combining of MsOffice2010 & WinZip9.0); we are pretty much protected from your "regular joe hacker-to-be", not 100%, but somewhat there. Now that doesn't mean that there is no room for improvement, far from it. With your advice, our first step will be to increase our pw from 14 to 21 character lengths and use the full range of symbols too. Subsequently, consider other tools and techniques.
Again thanx!
With your input we have concluded that we are in the right track (combining of MsOffice2010 & WinZip9.0); we are pretty much protected from your "regular joe hacker-to-be", not 100%, but somewhat there. Now that doesn't mean that there is no room for improvement, far from it. With your advice, our first step will be to increase our pw from 14 to 21 character lengths and use the full range of symbols too. Subsequently, consider other tools and techniques.
Again thanx!
@Roy... the encryption tool there was last updated in 2002, and is an Excel 97 sheet. Is it still a capable tool, please?
@Rayluvs - thanks for the points. Glad to hear you're tightening your password rules, but try and keep it variable - set passwords to be *between* 14 and 21 characters. If the Bad Guys know it's one precise length, it helps them a lot.
@Rayluvs - thanks for the points. Glad to hear you're tightening your password rules, but try and keep it variable - set passwords to be *between* 14 and 21 characters. If the Bad Guys know it's one precise length, it helps them a lot.
Hi, and if you're still genuinely using WinZip 9, you should consider changing this:
http://kb.winzip.com/kb/entry/132/
as it's out of support, and missing a few security features too:
http://kb.winzip.com/kb/entry/294/
7-zip is free, and better, in my opinion.
http://www.7-zip.org/
http://kb.winzip.com/kb/entry/132/
as it's out of support, and missing a few security features too:
http://kb.winzip.com/kb/entry/294/
7-zip is free, and better, in my opinion.
http://www.7-zip.org/
ASKER
Hey!!! Thanx for that extra info!!!
I also prefer 7zip but can't speak to it's security other than i tried to open a pw secured zip file (the screen shot I posted earlier) and there was no indication it was going to be quick 😊
Zip file passwords can also be cracked