Protecting Excel Software

by Dermot Balson - Independent Developer
Image of Line Break

If you read the manuals, you will find that you can protect Excel worksheets and workbooks with individual passwords up to 15 characters long. In addition, if you "compile" your code into an XLA, it cannot be recovered by a user. So your valuable Excel VBA code is safe, right?

Wrong. Very wrong.

The password system is laughable, because there is a large number of valid alternatives to any password you dream up. It is so bad that even with a 15 character password, a brute force random approach doesn't take long to crack it.

Worse, a long password can be cracked by a shorter alternative password, so length doesn't always increase protection. Worst of all, you can use VBA to attack itself by automating the password cracking.

OK, so you can break passwords, but you can't recover VBA code in an XLA because it's compiled, right? Wrong again - if you know how, you can recover it in full.

The proof is on the demo program Cracker.xla (9KB), which should be able to crack any XLA you care to throw at it, providing it has the words Black Label in cell A1 of its first worksheet (we don't want to abuse our knowledge, do we?). It uses a brute force random attack on the password(s), so it may take a little time.

So, readers, if like me you are appalled at how easily a sophisticated product can be broken, let Microsoft know how you feel. My aim is to publicise the security weakness, not make it worse, so I'm not going to reveal how the demo program works, particularly the code extraction.

Written by: Dermot Balson
August 1995

Image of Arrow linked to Previsou Article