7

Why does the following code break the excel password protect? Every sheet I have broken with it has had a password similar to 'AAAAABABABAWA', but I doubt these are the actual passwords.

It seems we have a bunch of integers with a strange range. Any idea how it works?

Sub PasswordBreaker() 'Breaks worksheet password protection. Dim i As Integer, j As Integer, k As Integer Dim l As Integer, m As Integer, n As Integer Dim i1 As Integer, i2 As Integer, i3 As Integer Dim i4 As Integer, i5 As Integer, i6 As Integer On Error Resume Next For i = 65 To 66: For j = 65 To 66: For k = 65 To 66 For l = 65 To 66: For m = 65 To 66: For i1 = 65 To 66 For i2 = 65 To 66: For i3 = 65 To 66: For i4 = 65 To 66 For i5 = 65 To 66: For i6 = 65 To 66: For n = 32 To 126 ActiveSheet.Unprotect Chr(i) & Chr(j) & Chr(k) & _ Chr(l) & Chr(m) & Chr(i1) & Chr(i2) & Chr(i3) & _ Chr(i4) & Chr(i5) & Chr(i6) & Chr(n) If ActiveSheet.ProtectContents = False Then MsgBox "One usable password is " & Chr(i) & Chr(j) & _ Chr(k) & Chr(l) & Chr(m) & Chr(i1) & Chr(i2) & _ Chr(i3) & Chr(i4) & Chr(i5) & Chr(i6) & Chr(n) Exit Sub End If Next: Next: Next: Next: Next: Next Next: Next: Next: Next: Next: Next End Sub

pnuts
  • 58,317
  • 11
  • 87
  • 139

1 Answers1

11

This particular password mechanism is terrible. Many different passwords will work to unlock it. The script tries a bunch starting from AAAAAAAAAAAA, and stops on the first one that works. That’s why it says “One usable password is”—there are many usable passwords.

In detail, the input password is passed through a scrambler that produces a 16-bit output, regardless of input password length. Since there are only 65,536 possible ‘scrambled’ values that are checked against, and many billions of possible input passwords, for any password that you set, there are billions of other different passwords that will work to unlock it.

Most password mechanisms are not so insecure.

See: How does Excel's worksheet password protection work

Community
  • 1
  • 1
andrewdotn
  • 32,721
  • 10
  • 101
  • 130
  • Wow. That is horrible, thank you for that. Does Microsoft word use the same for encryption? –  Sep 21 '14 at 23:15
  • Protected Microsoft Word documents are also easy to crack: just zero out the password in the file. http://www.instructables.com/id/Unprotect-MS-word-Doument./ – andrewdotn Sep 21 '14 at 23:17
  • That is more horrible, since I actually use this feature. Thank you for your answer. –  Sep 21 '14 at 23:27
  • One final question, this method uses a macro to crack the page, what can be done if the macro page itself is the passworded section, I would assume based on track record, it can be broken similarly easily? I can't add a macro since the page is locked however, so I am not sure what one would do to bypass this, would I need to code up something externally to do it? –  Sep 22 '14 at 00:21
  • @Committingtoaname Not sure. You can probably add another macro page, or access the Worksheet object from a macro page in a different workbook. Worst case you can use GUI automation to drive the password dialog. At 65k possible passwords, even if it takes a full second to try each password, you’ll have it cracked in under a day. – andrewdotn Sep 22 '14 at 00:51
  • There's also the converting it to a .zip file to unprotect it. – Buzz Lightyear May 10 '16 at 20:42
  • New to the game on this, but if there are only about 65k possible entries, why is this code set up to iterate over 190k times? Is there a more efficient way to write this code? – MartyMcfly0033 Dec 10 '19 at 20:18