A different set of people around the world are using remarkably simple tools to analyze these documents and open them — without knowing the passwords.
Are you part of the first group or the second? What you'll learn in this article may forever change how you look at password protection.
Password Cracking Tools Are Just a Download Away
A major player in "password recovery utilities" is an international company known as Passware, with offices in Tallinn, Estonia, and Moscow, Russia. The firm's flagship product, Passware Kit Enterprise 6.0, is a veritable Swiss Army Knife that can crack the passwords of almost any software you can think of:
• Office Applications. The kit includes modules to break the passwords of all versions of Microsoft Office. The company is particularly proud of its support for the latest Office 2003 releases, including password cracking of Microsoft Word, Excel, Access, Outlook, and VBA (Visual Basic for Applications).
• Windows Administrator Passwords. Microsoft Windows, of course, uses passwords to control Administrator access, and Passware hasn't neglected this aspect of security. Its module for Windows NT, 2000, XP, and 2003, the company says, can reset the login string to anything you like if you don't happen to have a machine's Administrator password, secure-boot password, or key disk.
• Vertical-Market Software. Besides accessing Microsoft file formats, Passware claims its kit's more specialized modules can recover the passwords of files created by Quicken, QuickBooks, Peachtree, Lotus Notes, Acrobat, and many other applications. Numerous enterprises rely upon password-protected ZIP files — Passware says its software can decrypt most WinZip archives in under one hour.
• Recovering Corrupt NTFS Encryption. The company's latest revision, Passware Kit Enterprise 6.1, is so new that it doesn't even have a press release yet (this article is its first mainstream media exposure). But you may be hearing more about it in the future. Its most important new feature is the ability to access the EFS (Encrypted File System) of NTFS — the storage standard Microsoft uses in Windows 2000, XP, and 2003 — from a second hard drive.
White-Hat Password Recovery
The latter capability deserves a longer explanation. NTFS password recovery has a legitimate purpose, as do several other Passware features. Every IT administrator's worst nightmare is to have encrypted a Windows 2000/XP/2003 hard drive, but later on lose the ability to input the password because of disk corruption. With Passware Kit, you can remove the corrupt drive from one machine, make it the secondary drive in another, and (if you know the original Administrator password) read the encrypted files just as before.
Passware Kit Enterprise sells for $595 at the company's Web site. A trial version of the company's software is the most popular of 43 downloads in the "password recovery" category at Tucows, a well-known shareware site. In addition, another Passware product, a totally free download called Asterisk Key, reveals the plain-text passwords that are ordinarily hidden beneath blobs in Windows dialog boxes. That all adds up to a lot of passwords that the people downloading these products are finding.
Dmitry Konevnik, Passware's customer service manager, told me in a telephone interview from his office in Moscow that Microsoft's password-protection schemes have built-in weaknesses. "The encryption key they use to encrypt the files is too short," Konevnik says. "The key is 40 bits long. It takes less time for us to simply brute-force all the keys than for us to brute-force all the possible passwords."
What Was That Password Again? Oops, I Forgot
Passware's software arguably gets more buyers from the authorized creators of password-protected files than from cloak-and-dagger, corporate espionage types. That's because the authorized users forget their carefully-chosen passwords, or employees move on, keeping in their heads the passwords of vital documents. At that point, IT professionals start looking for downloadable tools that can discover the original passwords or just reset them to some desired value.
People subconsciously want to be able to open a document if they forget the password — rather than take the risk of creating totally uncrackable files that can never be accessed if the code is lost.
But if you're the kind of executive who wants password-protected files that aren't trivial to break, Konevnik has good advice for you. "You should use additional cryptographic providers," he says, not just the default password methods offered by Microsoft and other software vendors.
For example, you can create a Microsoft Word document that even Passware couldn't break into for years, if ever. To do this in Word 2003, click File, Save As, then pull down the little-known Tools menu and choose Security Options. Clicking the Advanced button on the resulting dialog box gives you a choice of several "providers" or methods of encrypting the file. Selecting any method that uses 128-bit encryption gives you much stronger protection than Microsoft's default 40-bit key. "This increases the brute-force difficulty by thousands of times," Konevnik says.
That should be plenty of security for anyone, aside from the CIA. But you can store encrypted files on password-protected removable disks to add yet another layer of protection for absolute confidence. Some portable media, such as Iomega Corp.'s ZIP disks, offer password protection. The older 100 MB disks can be hacked, but specialized recovery consultants such as PWCrack.com say passwords on the 250 MB ZIP disks cannot be discovered or removed.
If your company password-protects its documents, thinking that this is a sure-fire defense against inquisitive intruders, you need to educate yourself on the tools that are now available to sweep encryption off almost any file.
If it's important for you to encrypt a document, it's important enough to do it right.