1

I have had to use this code to remove passwords from protected sheets that no one knows the password to, I am interested to find out how it actually works and whether or not it can be tweaked to remove passwords from other Excel bits eg workbook structure or workbook passwords?

Sub PasswordBreaker()

'Breaks worksheet password protection.

Dim i As Integer, j As Integer, k As Integer
Dim l As Integer, m As Integer, n As Integer
Dim i1 As Integer, i2 As Integer, i3 As Integer
Dim i4 As Integer, i5 As Integer, i6 As Integer
On Error Resume Next
For i = 65 To 66: For j = 65 To 66: For k = 65 To 66
For l = 65 To 66: For m = 65 To 66: For i1 = 65 To 66
For i2 = 65 To 66: For i3 = 65 To 66: For i4 = 65 To 66
For i5 = 65 To 66: For i6 = 65 To 66: For n = 32 To 126
ActiveSheet.Unprotect Chr(i) & Chr(j) & Chr(k) & _
Chr(l) & Chr(m) & Chr(i1) & Chr(i2) & Chr(i3) & _
Chr(i4) & Chr(i5) & Chr(i6) & Chr(n)
If ActiveSheet.ProtectContents = False Then
MsgBox "One usable password is " & Chr(i) & Chr(j) & _
Chr(k) & Chr(l) & Chr(m) & Chr(i1) & Chr(i2) & _
Chr(i3) & Chr(i4) & Chr(i5) & Chr(i6) & Chr(n)
Exit Sub
End If
Next: Next: Next: Next: Next: Next
Next: Next: Next: Next: Next: Next
End Sub
Matthew Bond
  • 191
  • 2
  • 15
  • 1
    Looking at it - looks very similar to the code I have (copied from somewhere on the net). As far as I know it will break the structure passwords, but not the workbook password. – Darren Bartrup-Cook Dec 10 '15 at 15:47
  • 1
    I don't know VB, but this script appears to brute force with the expectation that all passwords are 12 characters long and that the first 11 of them are either A or B. Seems somewhat strange. – mah Dec 10 '15 at 15:50
  • 1
    It is a dirty brute force, just look at ASC table to adjust the loops to include more characters. (replace `65 To 66` by `1 to 92` for instance, but keep in mind the number of test that it'll generate!!! Total number of possibilities = Product of each number of possibilies) – R3uK Dec 10 '15 at 15:57

1 Answers1

3

Yes, it can be used to break anything except the password used to open a file.

The reason it works is that there is a vulnerability in the way Excel hashes passwords, so there are actually only 194K different hash values.

Detailed Discussion:
The reason is that the passwords you enter (i.e., with Tools/Protect/Protect Worksheet or /Protect Workbook) are not used directly in protection. Instead they are hashed (mathematically transformed) into a much less secure code. Effectively, any password of any length is transformed into a string of 12 characters, the first 11 of which have one of only two possible values. The remaining character can have up to 95 possible values, leading to only

2^11 * 95  = 194,560

potential passwords. This may seem like a lot, but it only takes a few seconds for a modern computer to try them all. As a comparison, a 4-character password containing just the 26 lower case alphabet characters has 456,976 combinations, and a 3-character password consisting of lower case, upper case and the digits 0-9 will have 238,328 combinations.

Again, it doesn't matter what your original password is, one of those 194K strings will unlock your sheet or workbook.

SeanC
  • 15,695
  • 5
  • 45
  • 66