|15 Oct 2009||#1|
Enabling password rules for Office 2010
Hi, my name is Alan Myrvold, and I am a security tester on the Office Trustworthy Computing Team (TWC). This post introduces the new password rules feature in Office 2010.
Word, Excel, and PowerPoint have been able to password protect documents for several versions by setting the “password to open”. What we felt could be improved was the ability to enforce password strength rules, similar to what may be required when logging into your computer at work.
In Office 2010, the encryption password can be set using the Office Backstage View:
This password can also be set on the General Options dialog from the Save As dialog, as the “Password to open”, just like in previous versions of Office.
Password encryption is just one way to protect sensitive information. Depending on your business needs and risks, using IRM or BitLocker might be better choices.
Why is password complexity important?
Although historically Word and Excel used 40-bit RC4 encryption, faster computers mean that 40-bit keys are now considered weak. The Office Open XML format (*.docx, *.xlsx, *.pptx) introduced in Office 2007 provided an opportunity for us to improve our mechanism and algorithms used for password based encryption of documents. The Office Open XML format uses 128-bit AES encryption. We also use a slower key derivation algorithm to make brute force password cracking slower. RC4 is still used when saving in Office 97-2003 binary formats. For encrypted Office Open XML documents, the password is the weakest link. A short or commonly used password makes the document less secure, since it is easier for an attacker to guess it.
If an attacker needed to try all possible passwords of 5 lowercase letters from a-z, there are only 265, or about 11 million total passwords to guess during a brute force search. Searching dictionary words might even more quickly find the password. An 8 character password, chosen from lowercase and uppercase a-z, plus digits 0-9 is a much larger space of passwords to guess by brute force, 628 or about 200 trillion, and is more difficult to find with dictionary attacks too. These are all worst case efforts, and NIST estimates far less entropy in user chosen passwords. Having less entropy means that attackers can use heuristics to search the password space more intelligently than brute force.
Attackers can also harness the parallel processing power of graphics cards to help with their attack.
But, for brute force attacks, assuming 10,000 password attempts per second, the length and character set of the passwords can make a big difference.
Enforcing a minimum password length and character set complexity requirements can make passwords more difficult for attackers to guess.
How do I enable password complexity?
By default, complexity settings are not enforced, and registry settings are used to control this feature. Although I am describing the registry keys here, the Office Customization Tool (OCT) will be the easiest mechanism to deploy these policies within an organization, but these settings aren’t present in the OCT yet.
There are 2 registry settings to control this, PolicyLevel and MinLength.
Why not just use the Windows domain password policy?
When the policy level setting is 3, then Office will use the Windows domain policy as well as all the settings at level 2. This allows a custom password filter that is installed for Windows passwords to be used. If you are offline or a domain controller cannot be contacted, then the Windows password settings aren’t used, and only the level 2 settings are used. If you don’t have a custom password filter, then using level 2 saves a trip across the network, and would be the best choice.
What if my password doesn’t meet the complexity requirements?
Depending on whether the password is too short, or not complex enough, an error dialog will appear
and then you can re-enter the password.
What if I forget my password? Or the user leaves the company?
Oh dear. We’ve designed the Office Open XML password encryption to be strong and difficult for attackers to crack, which makes password recovery slow. There is no back door, no key escrow, and the 128-bit AES key makes guessing the password the best option.
Unfortunately Microsoft support cannot assist you, as described in KB article 189126.
Microsoft support engineers cannot help you retrieve passwords of files and features in Microsoft products that are lost or forgotten.Because a forgotten password might result in the loss of critical business information, it is possible to disable setting new passwords in Word, Excel, and PowerPoint, using the DisablePasswordUI setting.
The password rules feature is just one security enhancement in Office 2010, and future blog posts will cover more improvements we’ve made.
Security Tester, Office Trustworthy Computing
|My System Specs|
|Thread Tools||Search this Thread|
|Similar help and support threads|
Find Office 2010 Updates, When Office 2010 Isn't Installed?
I don't know if maybe I'm the only one who runs into this problem or if it happens to a lot of people, but it seems to come up a lot for me. I have had this issue on many computers but right now I am setting up an old Dell Latitude E5510 for an employee and I have reformatted, installed all...
Outlook 2010 rules
I may be missing something, but Outlook's rules don't seem to include ( with one built in exception) an "or" condition. It certainly doesn't offer any such rules based on an existing email like it does with al those "and" rules. As in, If the subject contains "double glazing" OR "new windows"...
Screen Saver Password Enabled after Enabling in GPEDIT
This computer is admin ; and to protect elected to use text screen saver with expectation to have it password protected. To do so I went into Gpedit.msc and firstly enabled password protect the screen saver. The screen saver did not offer a password when I access the machine. I then enabled screen...
Office 2010 - Disable "encrypt with password" using Group Policy?
Hi all, I would like to disable the "encrypt with password" option using Group Policy. Where I work using this option is a disaster waiting to happen (users lose passwords all the time). You can find this setting in Word - goto FILE, INFO, PROTECTED DOCUMENT, ENCRYPT WITH PASSWORD. I've...
File Validation from Office 2010 to Office 2003 and Office 2007
File Validation from Office 2010 to Office 2003 and Office 2007 - Softpedia
Office 2010 Pro Plus Win7 x 64 Excel reconfigures Office 2010
It seems that there may be a problem in Office 2010. I just installed it to the standard MS default/recommended settings .........all looked good...used Word great..until I use Excel and each time I try to use excel it sets off an 'Office Configuration' screen which I can not stop..it take a few...
© Designer Media Ltd
All times are GMT -5. The time now is 06:12.