Excel Passwords and Password Cracking
Last week a client asked us to help access a password protected Excel document. A former employee had worked on the document and put a password on it. The former employee was not being cooperative. Our team was able to find a version of the file that was not password protected in the backups. But this got us thinking...
Firstly, this is an issue that should be top of mind, with all the remote working going on currently. You should have a clear policy that is communicated to all employees to not put passwords on files. If for some reason you feel you need that extra protection. Make sure you have a way of getting that password and keeping track of them, ideally in a password manager. If you do have a situation with a former employee that password protected company files. Best solution would be to contact them and have them provide the password. If they are not being cooperative, contact your attorney. This can be considered a form of business disruption and can have legal ramification such as destruction of company property or tortious interference.
We also looked at this from a technology perspective which gets into a conversation about password cracking. Many tools (paid and free) and services are available to help crack all kinds of passwords and encryption. This company Terahash offers a $30,000 server specially designed to crack passwords fast. What it comes down to is time. The simple rule is the longer the password the more time it will take to crack.
Here are the quick tips on passwords
- How long should my password be?
10 characters long, minimum, but make it as long as possible. Length is the most important factor to strength. - Does my password need special characters to be strong?
Nope. - Does my password need numbers to be strong?
Nope. - How often should I change my password?
Only change it if you think it's been compromised. Never force users to rotate passwords, this actually lowers security. - Can I use the same password on multiple sites?
Absolutely not. Every service should have its own unique password so that you don't have to change all of them when (not if) they get breached. - How can I remember my password?
Don't try to remember your passwords, use a password manager. If you don't want to, write it down. - What about two-factor authentication?
Always turn on 2FA if it's an option. Use the strongest 2FA method you can. A text message is weaker than an authenticator app is weaker than hardware-based authentication. Never give a service your phone number if you can help it. - What about password recovery questions?
Don't give honest answers to these. For maximum security, generate a secondary random password for each question and store it in your password manager.
Want to learn more about passwords?
For a deep dive on strong passwords please read our post: The Ultimate Guide to Passwords