Microsoft Office Password Protection Strength

Microsoft Office uses various types of password protection.  In general, passwords used to limit modification of documents are reasonably weak and can be cracked easily (and immediately) with tools such as Office Key (from www.lostpassword.com).  Passwords required before a file can be opened usually require brute force type cracks but until I did some research, I still didn't know how strong the encryption was for these types of protection. [more]

There is also an online service (www.decryptum.com) that offers document recovery for about $29/document in many cases.  The service will show you part of the decrypted document before you have to pay for the whole document decryption process.  If they can't decrypt it, you don't pay.  However, it seems to work pretty well.  I tested it with a simple Office 2003 document that required a password to open.  Within about 30 seconds, they showed me the first two lines of the document's contents (which, in this case was the whole document).

Note - this does not work with 2007 XML formats - only with previous versions of Office documents.  That is consistent with Microsoft's warning that encryption with older versions of office is not as strong as it is with native mode 2007 documents.

The online document recovery process does not determine what the password is.  It just involves removing the password requirement altogether.

Of course, you would want to be very careful with confidential documents…

This came up in a recent audit where the bank was using password protected Word and Excel files for security measures.  We determined this isn't a suitable method for securing documents they send via e-mail.

Security and Compliance Encryption Word 2007 Office 2003