Around the world, millions of people are saving sensitive, confidential
documents in Microsoft Office and trying to protect them with passwords.
A different set of people around the world are using remarkably simple tools
to analyze these documents and open them — without knowing the passwords.
Are you part of the first group or the second? What you’ll learn in this
article may forever change how you look at password protection.
Password Cracking Tools Are Just a Download Away
A major player in “password recovery utilities” is an international
company known as Passware, with
offices in Tallinn, Estonia, and Moscow, Russia. The firm’s flagship product,
Passware Kit Enterprise 6.0, is a veritable Swiss Army Knife that can crack
the passwords of almost any software you can think of:
• Office Applications.
The kit includes modules to break the passwords of all versions of
Microsoft Office. The company is particularly proud of its support for
the latest Office 2003 releases, including password cracking of Microsoft
Word, Excel, Access, Outlook, and VBA (Visual Basic for Applications).
• Windows Administrator Passwords.
Microsoft Windows, of course, uses passwords to control Administrator
access, and Passware hasn’t neglected this aspect of security. Its module
for Windows NT, 2000, XP, and 2003, the company says, can reset the
login string to anything you like if you don’t happen to have a machine’s
Administrator password, secure-boot password, or key disk.
• Vertical-Market Software.
Besides accessing Microsoft file formats, Passware claims its kit’s more
specialized modules can recover the passwords of files created by Quicken,
QuickBooks, Peachtree, Lotus Notes, Acrobat, and many other applications.
Numerous enterprises rely upon password-protected ZIP files — Passware
says its software can decrypt most WinZip archives in under one hour.
• Recovering Corrupt NTFS Encryption.
The company’s latest revision, Passware Kit Enterprise 6.1, is so new that
it doesn’t even have a press release yet (this article is its first
mainstream media exposure). But you may be hearing more about it in the
future. Its most important new feature is the ability to access the EFS
(Encrypted File System) of NTFS — the storage standard Microsoft uses in
Windows 2000, XP, and 2003 — from a second hard drive.
White-Hat Password Recovery
The latter capability deserves a longer explanation. NTFS password recovery has
a legitimate purpose, as do several other Passware features. Every IT
administrator’s worst nightmare is to have encrypted a Windows 2000/XP/2003
hard drive, but later on lose the ability to input the password because of disk
corruption. With Passware Kit, you can remove the corrupt drive from one
machine, make it the secondary drive in another, and (if you know the original
Administrator password) read the encrypted files just as before.
Passware Kit Enterprise sells for $595 at the company’s Web site. A trial
version of the company’s software is the most popular of 43 downloads
in the “password recovery” category at
a well-known shareware site. In addition, another Passware product, a totally
free download called Asterisk Key, reveals the plain-text passwords that are
ordinarily hidden beneath blobs in Windows dialog boxes. That all adds up
to a lot of passwords that the people downloading these products are finding.
Dmitry Konevnik, Passware’s customer service manager, told me in a telephone
interview from his office in Moscow that Microsoft’s password-protection
schemes have built-in weaknesses. “The encryption key they use to encrypt the
files is too short,” Konevnik says. “The key is 40 bits long. It takes less
time for us to simply brute-force all the keys than for us to brute-force
all the possible passwords.”
What Was That Password Again? Oops, I Forgot
Passware’s software arguably gets more buyers from the authorized creators of
password-protected files than from cloak-and-dagger, corporate espionage types.
That’s because the authorized users forget their carefully-chosen passwords, or
employees move on, keeping in their heads the passwords of vital documents.
At that point, IT professionals start looking for downloadable tools that can
discover the original passwords or just reset them to some desired value.
People subconsciously want to be able to open a document if they
forget the password — rather than take the risk of creating totally
uncrackable files that can never be accessed if the code is lost.
But if you’re the kind of executive who wants password-protected files
that aren’t trivial to break, Konevnik has good advice for you. “You should
use additional cryptographic providers,” he says, not just the default
password methods offered by Microsoft and other software vendors.
For example, you can create a Microsoft Word document that even Passware
couldn’t break into for years, if ever. To do this in Word 2003, click File,
Save As, then pull down the little-known Tools menu and choose Security
Options. Clicking the Advanced button on the resulting dialog box gives you a
choice of several “providers” or methods of encrypting the file. Selecting any
method that uses 128-bit encryption gives you much stronger protection than
Microsoft’s default 40-bit key. “This increases the brute-force difficulty
by thousands of times,” Konevnik says.
That should be plenty of security for anyone, aside from the CIA. But you can
store encrypted files on password-protected removable disks to add yet another
layer of protection for absolute confidence. Some portable media, such as
Iomega Corp.’s ZIP disks, offer password protection. The older 100 MB disks
can be hacked, but specialized recovery consultants such as
PWCrack.com say passwords
on the 250 MB ZIP disks cannot be discovered or removed.
If your company password-protects its documents, thinking that this
is a sure-fire defense against inquisitive intruders, you need to educate
yourself on the tools that are now available to sweep encryption off
almost any file.
If it’s important for you to encrypt a document, it’s important enough to
do it right.