Comments on: Excel sheet protection password hash http://kohei.us/2008/01/18/excel-sheet-protection-password-hash/ Kohei Yoshida's Webspace Thu, 26 Aug 2010 12:59:58 -0400 http://wordpress.org/?v=2.8.6 hourly 1 By: Kohei Yoshida http://kohei.us/2008/01/18/excel-sheet-protection-password-hash/comment-page-1/#comment-2368 Kohei Yoshida Sun, 27 Jan 2008 23:31:39 +0000 http://kohei.us/2008/01/18/excel-workbookworksheet-protection-password-hash/#comment-2368 @Mattew, Well, I'm not really qualified to comment on the quality of hashing algorithms since it's not my specialty. But since the length of the hash value is only 16-bit, the chance of two different passwords generating an identical hash value is higher than one would normally desire when using it for document security such as encryption. That said, this level of security may be just adequate for the purpose it is being used in Excel, since Excel's sheet protection does not in fact protect the content of the sheet but simply prevent accidental editing of the content. That's probably all I would have to say about the quality of this hashing algorithm. @Mattew,

Well, I’m not really qualified to comment on the quality of hashing algorithms since it’s not my specialty. But since the length of the hash value is only 16-bit, the chance of two different passwords generating an identical hash value is higher than one would normally desire when using it for document security such as encryption. That said, this level of security may be just adequate for the purpose it is being used in Excel, since Excel’s sheet protection does not in fact protect the content of the sheet but simply prevent accidental editing of the content.

That’s probably all I would have to say about the quality of this hashing algorithm.

]]> By: Matthew http://kohei.us/2008/01/18/excel-sheet-protection-password-hash/comment-page-1/#comment-2339 Matthew Sat, 26 Jan 2008 20:44:45 +0000 http://kohei.us/2008/01/18/excel-workbookworksheet-protection-password-hash/#comment-2339 Hello, do you have comments as to the quality of hashing algorithm? Thank you. Hello, do you have comments as to the quality of hashing algorithm? Thank you.

]]> By: Kohei Yoshida http://kohei.us/2008/01/18/excel-sheet-protection-password-hash/comment-page-1/#comment-2304 Kohei Yoshida Fri, 25 Jan 2008 06:19:29 +0000 http://kohei.us/2008/01/18/excel-workbookworksheet-protection-password-hash/#comment-2304 Hi Chris, thanks for the info about Wouter's blog post, and the bug fix in my code. ;-) BTW, the above PDF link should work now; the comma at the end of the URL was causing the link from working. I just edited my blog entry to remove my bug. Better do it sooner before people start to see my code, or worse, use it in their program. ;-) Hi Chris, thanks for the info about Wouter’s blog post, and the bug fix in my code. ;-) BTW, the above PDF link should work now; the comma at the end of the URL was causing the link from working.

I just edited my blog entry to remove my bug. Better do it sooner before people start to see my code, or worse, use it in their program. ;-)

]]> By: Chris Rae http://kohei.us/2008/01/18/excel-sheet-protection-password-hash/comment-page-1/#comment-2303 Chris Rae Fri, 25 Jan 2008 04:16:26 +0000 http://kohei.us/2008/01/18/excel-workbookworksheet-protection-password-hash/#comment-2303 Hi there - I work for MS on Excel, just to put my cards on the table. The above PDF link didn't work for me, but there's also a copy of the correct algorithm on Wouter van Vugt's page (http://blogs.infosupport.com/wouterv/archive/2006/11/21/Hashing-password-for-use-in-SpreadsheetML.aspx). There's actually a small bug in the one Kohei posted here - the XOR with *pch after the while() loop is a buffer underrun. By the time the while() loop finishes, pch points to the character before the first character of the password, which is an unknown area of memory. If it contains zero then this algorithm will work (because the XOR doesn't do anything) but if it contains something else it won't. Hi there – I work for MS on Excel, just to put my cards on the table. The above PDF link didn’t work for me, but there’s also a copy of the correct algorithm on Wouter van Vugt’s page (http://blogs.infosupport.com/wouterv/archive/2006/11/21/Hashing-password-for-use-in-SpreadsheetML.aspx). There’s actually a small bug in the one Kohei posted here – the XOR with *pch after the while() loop is a buffer underrun. By the time the while() loop finishes, pch points to the character before the first character of the password, which is an unknown area of memory. If it contains zero then this algorithm will work (because the XOR doesn’t do anything) but if it contains something else it won’t.

]]> By: Kohei Yoshida http://kohei.us/2008/01/18/excel-sheet-protection-password-hash/comment-page-1/#comment-2204 Kohei Yoshida Mon, 21 Jan 2008 15:03:37 +0000 http://kohei.us/2008/01/18/excel-workbookworksheet-protection-password-hash/#comment-2204 Hi Daniel, Yeah, I've noticed it in your doc after I came up with it mine. Good to know that my algorithm is in fact the correct one since it's identical to your pseudo-code. ;-) BTW, how did you come up with yours? Hi Daniel,

Yeah, I’ve noticed it in your doc after I came up with it mine. Good to know that my algorithm is in fact the correct one since it’s identical to your pseudo-code. ;-)

BTW, how did you come up with yours?

]]> By: Daniel http://kohei.us/2008/01/18/excel-sheet-protection-password-hash/comment-page-1/#comment-2202 Daniel Mon, 21 Jan 2008 10:39:50 +0000 http://kohei.us/2008/01/18/excel-workbookworksheet-protection-password-hash/#comment-2202 Btw, the correct algorithm has been documented years ago: http://sc.openoffice.org/excelfileformat.pdf , chapter 4.18.4 ;-) Btw, the correct algorithm has been documented years ago: http://sc.openoffice.org/excelfileformat.pdf , chapter 4.18.4 ;-)

]]> By: Kohei Yoshida http://kohei.us/2008/01/18/excel-sheet-protection-password-hash/comment-page-1/#comment-2190 Kohei Yoshida Sun, 20 Jan 2008 15:16:58 +0000 http://kohei.us/2008/01/18/excel-workbookworksheet-protection-password-hash/#comment-2190 Sure. That's a good idea. I'll look into that. Sure. That’s a good idea. I’ll look into that.

]]> By: kris http://kohei.us/2008/01/18/excel-sheet-protection-password-hash/comment-page-1/#comment-2182 kris Sat, 19 Jan 2008 23:14:24 +0000 http://kohei.us/2008/01/18/excel-workbookworksheet-protection-password-hash/#comment-2182 Can you submit a "bug" against the standard? Let the standards people know MS submitted the wrong spec? Can you submit a “bug” against the standard? Let the standards people know MS submitted the wrong spec?

]]>