Most Recent Posts

Index of Older Posts


Using passwords in Microsoft Office Documents: be careful!

In the last week or so I have been asked several times where my follow-up article(s) for a solution to sharing a sensitive document on Dropbox are.  Truth is, I continue to look for a solution that I really like and that I can recommend without reservation.  The questions have included how to share with a family member, and how to share with a colleague. 

Most of the time we would like to share a Word, Excel, or PDF document.  One approach I've been asked about would be to:

  1. Set a password in Word (or Excel) so that the password must be entered before the document can be opened.
  2. Put the file on Dropbox, and share it with the other party as you normally would.
  3. Give them the password by telephone (if it’s so sensitive that you are trying to add end-to-end encryption, you probably shouldn’t email or text the password).

In theory this should work very well, with some limitations.  But there are some important concerns. 

For Mac users, neither Word 2011 or Excel 2011 for the Mac actually encrypts the document when you set a password!  According to Microsoft:  “Given sufficient time and knowledge, a user can [read and] modify data in any document that he or she has access to.”  The password merely prevents Word from opening the document so passwords in the current versions of Word or Excel are essentially useless.  However, Powerpoint 2011 for the Mac does seem to encrypt the file, though Microsoft is not forthcoming about how the file is encrypted.

On the other hand, Word and Excel 2013 for Windows appears to allow reasonable encryption.  The online Microsoft documentation is somewhat vague.  In Office 2010 it’s 128-bit AES, which is very good, but Office 2013 is not directly addressed.  You should also know that if you are working in a corporate envoronment, there are administrative options for encryption that can affect how strong it is, and can allow the organization to decrpyt your document with a master password.  This is, of course, appropriate and necessary, you just need to know about it!

If you use Apple’s Pages, Numbers, or Keynote, then password-protecting a document results in encryption using 128-bit AES.  The only downside here is that the newest versions (Pages v5.2, for example) use a new file structure where the “File” saved by Pages is actually a container of files. This doesn’t play as nicely with Dropbox (and other cloud storage providers) as the single .docx file from Word.  This was a recent change by Apple though, and I’m hoping that Dropbox et. al. will fix these issues shortly.

Finally, PDFs can also be encrypted using Adobe Acrobat (which most of us don’t have) or, if you are using a Mac, either by Printing as a PDF, or from Preview by selecting “Export as PDF…” from the file menu, selecting the “Show Details” button near the bottom of the dialog box, and checking the box for Encryption.  You will then enter and verify the password that will be used to encrypt the document.  This method uses 128 bit RC4 encryption which may be slightly less secure than 128-bit AES, but will be fine for most purposes.  Provided, of course, that you’ve selected a strong password!  The problem with PDF files, of course, is that they aren’t easily modified and changed the way Word or Excel files are. 

Finally, it’s very important that you and whomever else you are sharing the file with do not open and modify the file at the same time.  Dropbox is pretty good about not corrupting everything, but you will end up with two versions of the file that then have to be reconciled, which might be a big pain.

So, the bottom line is that if you are a Windows user, and using Office 2010 or 2013, you probably get adequate encryption with the built-in tools in MS Word, Excel and PowerPoint.  If, however, you are a Mac user, the password protection for Word and Excel is only there to dissuade someone from opening the file in the Microsoft program, but there is no encryption at all.  If you use Apple iWork (Pages, Numbers, and Keynote) then the protection is good.  But watch out for file syncing problems until the cloud storage providers have the new container format figured out!  Overall, I'm still looking for the optimall solution!



PrintView Printer Friendly Version

EmailEmail Article to Friend

References (10)

References allow you to track sources for this article, as well as articles that were written in response to this article.

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>
Main | Mitigating Risk »