In yesterday’s blog post “Internet café wi-fi and your security,”
we advised road warriors and others who use public wi-fi hot spots to communicate (without a VPN) that they should encrypt documents before sending them to avoid the possibility that they could be intercepted by someone sniffing the public network.
A former colleague of mine left a comment on the Sunbelt Blog that I feel is important enough to highlight in its own blog entry. Basically, encryption on older versions of Microsoft Office (before Office 2007) is no longer safe to use.
The colleague (Phil) has pointed me to “David LeBlanc’s Web Log” piece from April 16 entitled: “Don’t Use Office RC4 Encryption. Really. Just don’t do it.” As you might guess from the title, David points out the weakness of RC4 encryption, which is what is available in older Microsoft Office (2003 and before) applications.
He wrote: “If you need to encrypt an Office document, then use the new file format, and get real encryption as we’ve documented in more than one place. If you need to encrypt an older file format, then use a 3rd party tool that will do proper encryption. If you merely need obfuscation, perhaps to keep your kids out of the Christmas list, it might suffice for that, but not if you have a really bright kid.”
That “bright kid” line isn’t a joke because for $49 you can buy “password recovery” software that can crack weak Office 2007 and all passwords from earlier versions. (For sale here: http://www.lostpassword.com/kit-basic.htm)
One can be sure that fact has not been lost on the darkside, or bright kids. If you explore that lostpassword.com site, it becomes very obvious what password cracking is all about.
Thanks Phil!
So what SHOULD you do to encrypt a document?
You should use the safer AES encryption (Office 2007 and later) algorithm and a password (or phrase) as long as you can tolerate, with caps, numbers and punctuation — something like: “My_cat_Fluffy_likes_canned_tuna_!_12345.”
In versions of Office before Office 2007, Excel, PowerPoint, and Word offered the choice of several flavors of the RC4 encryption algorithm – not good. In Office 2007, documents are encrypted with the AES 128-bit algorithm. AES 128 is acceptable by the federal government for documents with classifications up to and including secret.
To encrypt a document in Office 2007, go to prepare | encrypt document:
Want a little history of Microsoft encryption? Here’s a site with a concise, fast read:
“History of password protection in MS-Word”
Tom Kelchner