The data security of Excel spreadsheets is a joke. Anyone with half a talent can crack the passwords at most levels using either simple VBA code or one of the Russian password crackers on Google. This is a well-known security issue for most people having a technical perspective on Excel, but in the banking / transaction space this is certainly not the case. It is not uncommon that people responsible for multi-billion dollar investments protect parts of their Excel models by hiding and password protecting individual sheets without being aware that this ’security’ can be circumvented in seconds using simple VBA code available on most Excel forums.
How secure is the password on ‘Protect Sheet’?
Below is a typical VBA example of the code demonstrating the weaknesses of the terrible security in the ‘Protect sheet’ functionality. Password-protect a sheet and run the code below to generate another(!) password for that sheet.
Sub PasswordBreaker()
Dim i As Integer, j As Integer, k As Integer
Dim l As Integer, m As Integer, n As Integer
Dim i1 As Integer, i2 As Integer, i3 As Integer
Dim i4 As Integer, i5 As Integer, i6 As Integer
On Error Resume Next
For i = 65 To 66: For j = 65 To 66: For k = 65 To 66
For l = 65 To 66: For m = 65 To 66: For i1 = 65 To 66
For i2 = 65 To 66: For i3 = 65 To 66: For i4 = 65 To 66
For i5 = 65 To 66: For i6 = 65 To 66: For n = 32 To 126
ActiveSheet.Unprotect Chr(i) & Chr(j) & Chr(k) & _
Chr(l) & Chr(m) & Chr(i1) & Chr(i2) & Chr(i3) & _
Chr(i4) & Chr(i5) & Chr(i6) & Chr(n)
If ActiveSheet.ProtectContents = False Then
MsgBox “One usable password is ” & Chr(i) & Chr(j) & _
Chr(k) & Chr(l) & Chr(m) & Chr(i1) & Chr(i2) & _
Chr(i3) & Chr(i4) & Chr(i5) & Chr(i6) & Chr(n)
ActiveWorkbook.Sheets(1).Select
Range(”a1″).FormulaR1C1 = Chr(i) & Chr(j) & _
Chr(k) & Chr(l) & Chr(m) & Chr(i1) & Chr(i2) & _
Chr(i3) & Chr(i4) & Chr(i5) & Chr(i6) & Chr(n)
Exit Sub
End If
Next: Next: Next: Next: Next: Next
Next: Next: Next: Next: Next: Next
End Sub
How to send secure Excel information to external parties?
The day-to-day impact of the security flaws in Excel is that many bankers have to extract key information from Excel into PowerPoint which is a waste of everyone’s time but at least it can get distributing all of the data in the Excel workbook. Funnily enough you often see the Excel workbook pasted as an Excel object into PowerPoint which means that you can simply copy-past the whole workbook back into Excel…
Can you send safe Excel Workbooks?
There are a number of different providers working on security solutions for these problems. Many individuals have built ‘time-bombs’ etc in VBA which disables or destroys the workbook after a set date, however these often rely upon the user enabling VBA code when opening the workbook… A simple ‘No’ to the question ‘Enable Macros?’ therefore disables the time-bomb and you get full access to the workbook. One classic example of this is Chip Pearson’s ’Timebombing a Workbook‘ which is an excellent article outlining a pragmatic view of Excel Security and should be read by all Excel users.
How to improve the security of Excel workbooks and VBA?
It would be great if there was one standard trick that solved all these issues. Unfortunately that is not yet the case and the industry of Excel users are still searching for a simple-to-use and still secure solution. One new up-and-coming software development company that appears to have overcome the biggest hurdles of secure Excel workbooks is DataSafeExcel. DataSafeXl was started by Andreas Ashiotis who has a background in KPMG financial modelling in London. I have only tested an early prototype of DataSafeXL but it looks very interesting and Andreas swears that the security really is at the level needed for institutional transactions. In a rather clever way the software can be used to set things like expiry dates and it then disables all the usual ways of disabling functionality in the normal ways. If someone’s used this in real applications it would be great to hear more about it.
If security in-transit (or
Post new comment