How Easy is It Hack a Password Encrypted Spreadsheet

• Home
• Security
• General IT Security

Protecting passwords: Encrypted Spreadsheet vs Password Manager

Posted by Mark8081

I've been reading a lot of discussions and reviews on password managers, and noticing some people using encrypted Word docs or Excel spreadsheets.

Here's my question: If those Word / Excel docs are 2010+, they are fully encrypted (not just password-protected) - so why is a Password Manager program / vault / safe any more secure?

130 Replies

• I'm not sure I would consider using either of these two options.

  I would say that the major reason for using a PW manager vs a office doc is availability. Office docs you need to carry a local copy or remote into the storage location and decrypt to get what you need. The PW manager would be available online.

  But I dislike both.

  Was this post helpful? thumb_up thumb_down

• What wrong with keeping them in the head :)
  

  Was this post helpful? thumb_up thumb_down

• I just use one of these
  

  
  

  Was this post helpful? thumb_up thumb_down

• Z-Ethan wrote:

  I'm not sure I would consider using either of these two options.

  I would say that the major reason for using a PW manager vs a office doc is availability. Office docs you need to carry a local copy or remote into the storage location and decrypt to get what you need. The PW manager would be available online.

  But I dislike both.

  A password manager does not need to be online, (and for my money should not be online), but if it needs to be shared, then putting it in a shared place on your internal network is just as effective. If you are working remotely and need a password, then VPN or whatever into your shared place and open the PW manager file. If you need to have a PW manager to connect in via VPN, then you need to change the way you are doing your VPN authentication rather than change your PW management!

  Was this post helpful? thumb_up thumb_down

• I wouldnt use a spreadsheet - the new versions encrypt not just password protect but there are cheap apps that can brute force it...I tried a reasonably good 10 character password and a high end GPU enabled PC got it in under 2 days

  I prefer a web based tool as most of the good sites arent going to allow a brute force online attack but if their systems are compromised someone could take the hashed passwords and offline smash them

  So its kind of 6 of one and 2 x 3 the other

  What do your trust most...I trust myself mostly so use a keeper security to store the login user and a hint to the password and the remainder in my head

  If they get my keeper login and kidnap then waterboard me for 10 seconds Im in trouble

  Was this post helpful? thumb_up thumb_down

• 

  A password manager will be more functional than a spreadsheet, especially if you go for something like KeePass. That will do a number of beneficial things like associate access to the list with AD users, password generation, audit changes, export to other formats for disaster recovery etc. KeePass is offline as well, which is another reason I like it.

  Was this post helpful? thumb_up thumb_down

• Just loosen the purse strings and buy 1Password.
  

  There are some things its just not worth penny pinching.
  

  Was this post helpful? thumb_up thumb_down

• 

  @toby wells makes the point that an encrypted spreadsheet can be cracked, so that's a fair point. But can the password managers be cracked as well?

  The focus of my question is security, not functionality or cost. I'm not after any of the functionality that's been listed. OTOH I'm not afraid of spending money either. It's a simple risk question - which solution is less likely to be breached?

  Was this post helpful? thumb_up thumb_down

• To put it simply; password managers are designed to store passwords, whereas spreadsheets aren't. A lot of password managers will log you in automatically into websites, but if you use a spreadsheet, you'll either need to copy and paste and then remember to clear your clipboard, or  have to type the password in manually.

  i use TrueKey by Intel Security. It has offline availability, Two Factor authentication, browser extensions, mobile app and many more great features.The passwords are encrypted on an individual basis, so if someone was able to force their way onto the server and get into your account, they would have to decrypt every single password to get complete access. Whereas a spreadsheet, they just decrypt the spreadsheet and they have EVERYTHING.

  Was this post helpful? thumb_up thumb_down

• 

  dbeato

  This person is a verified professional.

  Verify your account to enable IT peers to see that you are a professional.

  pure capsaicin

  Password Manager is the way to go otherwise keep it memorized. I use KeePass and 1Password.

  Was this post helpful? thumb_up thumb_down

• 

  Craig582 wrote:

  To put it simply; password managers are designed to store passwords, whereas spreadsheets aren't. A lot of password managers will log you in automatically into websites, but if you use a spreadsheet, you'll either need to copy and paste and then remember to clear your clipboard, or  have to type the password in manually.

  i use TrueKey by Intel Security. It has offline availability, Two Factor authentication, browser extensions, mobile app and many more great features.The passwords are encrypted on an individual basis, so if someone was able to force their way onto the server and get into your account, they would have to decrypt every single password to get complete access. Whereas a spreadsheet, they just decrypt the spreadsheet and they have EVERYTHING.

  Interesting. That's the only specific suggestion so far as to why a p/w manager would be more secure than an encrypted document. You're saying there's two layers to break through?

  Was this post helpful? thumb_up thumb_down

• 

  dbeato

  This person is a verified professional.

  Verify your account to enable IT peers to see that you are a professional.

  pure capsaicin

  Using passwords managers and copy and paste is the same, the clipboard still shows that password.

  Was this post helpful? thumb_up thumb_down

• Another vote for encrypted password manager. Depending on your needs there are many available (including ours) either locally or online, and some with mobile clients too.

  I very much prefer using a manager since they are designed for this specific purpose and can save you a lot of time vs. opening an encrypted sheet and plugging things in.
  

  Was this post helpful? thumb_up thumb_down

• 

  Brand Representative for Dashlane

  jalapeno

  I agree with pretty much all of the points mentioned in favor of password managers. Also, password managers like Dashlane use AES-256 bit encryption, versus AES 128-bit encryption used to protect Word docs. Both are used to sufficiently protect important docs and data.
  

  However, I think the biggest difference is a password manager's ability to encrypt the passwords themselves like Craig582 mentioned. Password managers go the extra mile by applying hashing and salting, which are two layers a hacker will have an extremely difficult time breaking through in order to see your password. I hyperlinked a pretty simple explanation of hashing and salting that you should check out. Hope this helps clear up the difference. :)

  Was this post helpful? thumb_up thumb_down

• Password manager doesn't DISPLAY the password to you, it will *at a minimum* put it into the clipboard.  Good password managers will enter the username and password directly into the target UI for you.

  A spreadsheet is a big table of information you have to scrub through, find the record you want, copy the *visible* credentials by hand, and paste them by hand.  What if someone is behind you and sees some of the passwords?  What if that someone has a camera phone recording?

  I have a few thousand sets of credentials to keep track of.  Without KeePass I would be lost.
  

  Was this post helpful? thumb_up thumb_down

• 

  Malaika (Dashlane) wrote:

  I agree with pretty much all of the points mentioned in favor of password managers. Also, password managers like Dashlane use AES-256 bit encryption, versus AES 128-bit encryption used to protect Word docs. Both are used to sufficiently protect important docs and data.
  

  However, I think the biggest difference is a password manager's ability to encrypt the passwords themselves like Craig582 mentioned. Password managers go the extra mile by applying hashing and salting, which are two layers a hacker will have an extremely difficult time breaking through in order to see your password. I hyperlinked a pretty simple explanation of hashing and salting that you should check out. Hope this helps clear up the difference. :)

  If people are still using Office 2007, they have other issues.

  2016 is 256.

  Was this post helpful? thumb_up thumb_down

• 

  Brand Representative for Dashlane

  jalapeno

  Oh neat! Thanks for the info.

  Was this post helpful? thumb_up thumb_down

• I think using a password manager is better because even someone who isn't a hacker knows what an excel is and are going to try to break into them first. A password manager files to the average user aren't going too look like value data. A bit of security through obscurity but still a good first layer of defense.

  I use Keepass it is free and easy to use. If someone comes into my office or is looking over my shoulder it doesn't display the password on screen and clears the clipboard automatically after a few seconds.

  Also I think in today's world passwords aren't that secure. Like locking your car door its only going to stop or slow down the most basic criminals.

  Was this post helpful? thumb_up thumb_down

• That I know of, an encrypted / password-protected doc won't let you add two-factor authentication. Any password manager worth considering will support it. That gives you another layer of security. In addition, as others have mentioned, you get the added benefit of per-user salting and hashing of encryption keys, which significantly slow down the time it takes to correctly guess just one password, thereby making it near impossible to crack with a decent master password.

  Was this post helpful? thumb_up thumb_down

• 

  Just store them in an iPhone7. They will be encrypted.
  

  Was this post helpful? thumb_up thumb_down

• 

  I used to use a Word doc to store all my usernames and passwords. I would have to keep an updated copy of it in my Dropbox. I tried using Last Pass a while ago and I have to say it is working great for me. I have access to all my passwords and it is easier than logging into my Dropbox at work and looking up the password I need from a Word doc.

  Was this post helpful? thumb_up thumb_down

• 

  PlumPox

  This person is a verified professional.

  Verify your account to enable IT peers to see that you are a professional.

  chipotle

  I've been using a password manager KeePass for a couple of years now and it has become a valued tool. I would not want to go back to a spreadsheet. There is a lot of username/password auto entry it does for me plus it creates secure passwords and makes it convenient to have a unique strong password for each account. We have also started using Pleasant Password Server - http://www.pleasantsolutions.com/passwordserver/, that turns keepass into a shared enterprise solution. So far it is just used by IT but we are working on rolling it out other corporate departments as well.

  Was this post helpful? thumb_up thumb_down

• 

  Lol I just found Passware on an old computer

  but I use a PW Protected Excel Spreadsheet

  Was this post helpful? thumb_up thumb_down

• 

  I store our passwords in this and leave it in the server room on the keyboard rack.

  I figure if the bad guy gets past all the crap (guards, code locks, key locks, badge locks...) before that we deserve it...

  Was this post helpful? thumb_up thumb_down

• "Just use one password for everything" is a common statement from users I've met... I once saw a developer that worked for a company I worked at use an encrypted .txt.... better than nothing, but password managers are decent if you don't trust yourself, offline password managers are better than online ones.

  Was this post helpful? thumb_up thumb_down

• 

  It would take a computer about

  24 DUODECILLION YEARS

  to crack your password

  and that's a memorized PW

  Was this post helpful? thumb_up thumb_down

• 

  I'll take password managers 100%.  As for security, I think they are both close enough where that is not your deciding factor, although if I had to pick I would say password managers are more secure.  Personally, I use Lastpass.  Lets first consider that it is 100% more convenient to use than a spreadsheet.  Next lets consider the main complaint of some of the password managers including Lastpass...they are stored on the cloud.  Chances are, a company in this business with the amount of resources they have, will protect your data better than you are able to.  Lets say they slip up and their servers get breached.  A hacker takes all the info off the server.  They still do not have access to your passwords as all the information is encrypted with your master password.  Now they just stole tens of thousands of accounts.  You will probably hear of the breach and change your master pass before the hackers brute force their way into thousands of accounts (would take forever using a half decent master password).  On the other hand, they steal your spreadsheet, you will probably never know, they can run a brute force and may or may not get in but probably a better chance than the latter option.

  Also, if using a password manager, you have the option to use a password generator (you could do this without it but its built in and you are more likely to utilize it).  If you use this option, it will take even more effort to brute force any of your accounts.

  Was this post helpful? thumb_up thumb_down

• 

  Simply put: Password Managers are made for managing passwords. Spreadsheets never were. PMs have way more genuinely useful functions that spreadsheets lack like password generation, password history, audit, etc. Spreadsheets on the other hand don't have any of that...unless you want to go crazy and write a macro to do those things. But at that point, you might as well get a Password Manager.

  KeePass is probably one of the best (and free) ones available.
  

  Was this post helpful? thumb_up thumb_down

• 

  EldonN

  This person is a verified professional.

  Verify your account to enable IT peers to see that you are a professional.

  serrano

  We use LastPass enterprise. 3 x IT pros with a shared vault is awesome.  We added our 'marketing' person with a separate shared folder (sub-vault ?) so that all social media and "bid" website passwords are also stored in a central space, encrypted, secured, two-factor capable.

  Once per quarter, we export all of lastpass, store as CSV on a stick and put the stick in a safety deposit box that the CEO has.
  

  To the guy who said store them in your head. my CSV export has 466 lines, each unique and over 20 chars each... good luck!

  Was this post helpful? thumb_up thumb_down

• 

  For personal use or for team use? Password managers which has multiuser support most likely have audit trail, trash bins, versioning and much harder to steal or owerwrite than Excel file.

  For personal use I like the convience, relatively easy strong password generation, syncing across devices, auto fills etcs. I just memorize few important passwords like the password manager, email, bank and rest 200+ passwords can be inte manager.
  

  Was this post helpful? thumb_up thumb_down

• Another vote for password managers in general and KeePass in particular.  A good password manager does more than just store a list of passwords like a spreadsheet.  KeePass for example will fill username/password fields at the click of a button, or you can copy username/passwords individually, and then KeePass will clear your clipboard after 10 seconds or so (there's a count down bar but I've never bothered to actually count it down).  Additionally you can create individual libraries and give access to all or specific parts of those libraries to other users.  The actual library can be saved anywhere on your network and then you can point your local install to it, so if my laptop blows up all my passwords are still save.  Along those same lines I have to be on the VPN in order to reach it remotely so extra layer of security there.  It will auto-generate passwords for you of a predetermined character length and complexity.  Its got a bunch of other useful features as well.

  Was this post helpful? thumb_up thumb_down

• I've been using Keeper for my password management for years

  Like others have said, it does more than give me a place to write down passwords, it generates passwords for me.

  Excel doesn't do that.

  Was this post helpful? thumb_up thumb_down

• 

  Bob_13

  This person is a verified professional.

  Verify your account to enable IT peers to see that you are a professional.

  ghost chili

  Password managers, depending on the one in question, provide several "extra" options over a spreadsheet:

  1. Multi-factor authentication, for example a password, lock file, or even Account info. i.e. Keepass can be set to need a password, a file, and a specific Windows account to open it. (last I checked)
  2. Allows "secure" copy/paste by not using the standard clipboard, or clearing it automatically.
  3. Allows for backup processes. For example, whenever a password is changed it maintains a copy of the old password for a week, or similar.
  4. Allows for random password generation. You can let it "create" a strong password. Granted it makes it near impossible to remember but also hard to guess.
     
  5. It is designed to be secure. Encrypted spreadsheets are often... less robust in their encryption. The make it harder to access but often have ways to crack it if you are truly determined. Password managers can also be cracked but usually more time consuming.

  There are probably other ideas I'm forgetting but you get the idea. It's a bit like picking the right tool for the job, sure in a pinch you can hammer a nail with your shoe (maybe) but if you plan to hammer nails... bring a hammer.

  Was this post helpful? thumb_up thumb_down

• 

  Nic-S

  This person is a verified professional.

  Verify your account to enable IT peers to see that you are a professional.

  thai pepper

  For professional use, I memorize everything - God help me if/when I have a head injury or amnesia one day.

  For my personal stuff, since I keep things is so different, I use the following scenario:

  I have (1) 64-GB Thumb drive and (1) USB 1-TB hard drive, both encrypted with BitLocker.

  * Password 1 Needed to Access (20+ characters) *

  From there, I have a 7z'd (AES-256) archive of various files/folders

  * Password 2 Needed to Access (20+ characters) *

  From there, I have specific, easily modifiable Image files (Photoshop/Gimp) w/ Textboxes

  - Each Image file can be easily updated each time I make a change

  I keep both of these in 2 separate safes

  - 2 different keys, 2 different locations (upstairs & downstairs)

  Lastly, I have 2 cameras over my front door and 2 over my back door, just in case

  - They are networked when I am not home and local when I am home

  This may sound extreme and laborious to some, but I tend to change my personal passwords every quarter - and I can update both the USB HD and Thumb drive in less than 10 minutes, once I have the programs open. Therefore, for 10 minutes per quarter for a decent piece of mind, I'll take it.
  

  Was this post helpful? thumb_up thumb_down

• Hey Mark, thanks for starting up this discussion. I highly recommend using a password manager over an encrypted spreadsheet since they were never intended to be a password manager, so there's no chance it's ever going to be the best way to store passwords.

  The key features of a strong privileged account management solution include the following, all of which aren't found in a spreadsheet:

  –  Ability to store, manage and share passwords
  –  Top-level security with audit and compliance features
  –  Real-time management and disaster recovery

  I recommend downloading the 'Top Reasons Why Using Excel to Store Privileged Credential Passwords Creates Needless Risk' white paper for the top 8 reasons why you shouldn't risk storing passwords in a spreadsheet. I hope this will be a helpful resource for you!

  Was this post helpful? thumb_up thumb_down

• 

  Brian Nielsen wrote:

  What wrong with keeping them in the head :)
  

  Because if your head goes dead...so go the passwords...

  Was this post helpful? thumb_up thumb_down

• Everett3rd wrote:

  I store our passwords in this and leave it in the server room on the keyboard rack.

  I figure if the bad guy gets past all the crap (guards, code locks, key locks, badge locks...) before that we deserve it...

  I would probably go the extra step of putting it in a non-descript binder (rather than a bright pink cover that screams READ ME!) and labeling it "Server Room Cleaning Log" or some such.... although the amount of dust in the room at current may betray my subterfuge...

  Was this post helpful? thumb_up thumb_down

• 

  Tim8364

  This person is a verified professional.

  Verify your account to enable IT peers to see that you are a professional.

  jalapeno

  Good password managers have the ability to auto-fill your logon form without using the clipboard.  So that's at least two attack vectors less than using an encrypted office document.  I also appreciate the password generator that can suggest a password or rehash one according to the character requirements.  And it tells me how strong that password is before I've ever used it.

  Was this post helpful? thumb_up thumb_down

• 

  Mark8081 wrote:

  I've been reading a lot of discussions and reviews on password managers, and noticing some people using encrypted Word docs or Excel spreadsheets.

  Here's my question: If those Word / Excel docs are 2010+, they are fully encrypted (not just password-protected) - so why is a Password Manager program / vault / safe any more secure?

  Keepass, as far as offline PW managers goes, is awesome in that when you retrieve a password for one of your accounts, it automatically clears each retrieved credential (UN/PW) from the clipboard within 12 seconds (user definable).

  I am in and out of this numerous times per day and it has just always worked.  I've recently begun using it for tracking licenses and various other important information.

  Word and Excel documents are not intended for these tasks.
  

  Was this post helpful? thumb_up thumb_down

• Tim8364 wrote:

  Good password managers have the ability to auto-fill your logon form without using the clipboard.  So that's at least two attack vectors less than using an encrypted office document.  I also appreciate the password generator that can suggest a password or rehash one according to the character requirements.  And it tells me how strong that password is before I've ever used it.

  Auto-fill is the best!

  Was this post helpful? thumb_up thumb_down

• toby wells wrote:

  I just use one of these
  

  I've asked you numerous times to stop taking that out from its hiding place under my keyboard.  You need to get your own!

  Was this post helpful? thumb_up thumb_down

• Nic Schuman wrote:

  For professional use, I memorize everything - God help me if/when I have a head injury or amnesia one day.

  For my personal stuff, since I keep things is so different, I use the following scenario:

  I have (1) 64-GB Thumb drive and (1) USB 1-TB hard drive, both encrypted with BitLocker.

  * Password 1 Needed to Access (20+ characters) *

  From there, I have a 7z'd (AES-256) archive of various files/folders

  * Password 2 Needed to Access (20+ characters) *

  From there, I have specific, easily modifiable Image files (Photoshop/Gimp) w/ Textboxes

  - Each Image file can be easily updated each time I make a change

  I keep both of these in 2 separate safes

  - 2 different keys, 2 different locations (upstairs & downstairs)

  Lastly, I have 2 cameras over my front door and 2 over my back door, just in case

  - They are networked when I am not home and local when I am home

  This may sound extreme and laborious to some, but I tend to change my personal passwords every quarter - and I can update both the USB HD and Thumb drive in less than 10 minutes, once I have the programs open. Therefore, for 10 minutes per quarter for a decent piece of mind, I'll take it.
  

  I'm a little curious about why you do all of that for your personal life but you choose to memorize work related passwords.

  Was this post helpful? thumb_up thumb_down

• 

  Ken L

  This person is a verified professional.

  Verify your account to enable IT peers to see that you are a professional.

  datil

  There is another issue with using a spreadsheet for passwords.  When you have to open it to get to a password, it is visible on the screen with all of your passwords.  This leaves you open to "shoulder surfing" where as a password manager will fill in the password without ever viewing the password.  I have actually been on webinars where the presenter had a password manager and was able to go log into a few password protected sites (and use 2FA) and we never saw the password.  If they had a spreadsheet and it got opened on the screen, we could have seen ALL of their passwords.

  Was this post helpful? thumb_up thumb_down

• Thanks for theIntel Security True Key mention! OP, if you are ever interested in looking into a secure password solution True Key could definitely fit the bill. The app is a secure place to store and manage all of your passwords. Only you can access them when you verify your identity with at least two factors – one you choose and the device you're using. It's multi-factor authentication made easy. Now if you are ever looking for a solution and are considering True Key you can learn more about the app and check out a demo here.

  If you do have any questions feel free to reach out!

  Was this post helpful? thumb_up thumb_down

• 

  So you mean I shouldn't just use Chrome to remember my passwords?

  <!-- before I get flamed -->

  </sarcasm>

  Was this post helpful? thumb_up thumb_down

• We useLastPass. Great functionality, and I'm sure they could give you a word or two about their security features...

  Was this post helpful? thumb_up thumb_down

• 

  THEATRAIN wrote:

  Nic Schuman wrote:

  For professional use, I memorize everything - God help me if/when I have a head injury or amnesia one day.

  For my personal stuff, since I keep things is so different, I use the following scenario:

  I have (1) 64-GB Thumb drive and (1) USB 1-TB hard drive, both encrypted with BitLocker.

  * Password 1 Needed to Access (20+ characters) *

  From there, I have a 7z'd (AES-256) archive of various files/folders

  * Password 2 Needed to Access (20+ characters) *

  From there, I have specific, easily modifiable Image files (Photoshop/Gimp) w/ Textboxes

  - Each Image file can be easily updated each time I make a change

  I keep both of these in 2 separate safes

  - 2 different keys, 2 different locations (upstairs & downstairs)

  Lastly, I have 2 cameras over my front door and 2 over my back door, just in case

  - They are networked when I am not home and local when I am home

  This may sound extreme and laborious to some, but I tend to change my personal passwords every quarter - and I can update both the USB HD and Thumb drive in less than 10 minutes, once I have the programs open. Therefore, for 10 minutes per quarter for a decent piece of mind, I'll take it.
  

  I'm a little curious about why you do all of that for your personal life but you choose to memorize work related passwords.

  SSSS* obviously.

  *(Super Secret Spy Shit)
  

  Was this post helpful? thumb_up thumb_down

• Everett3rd wrote:

  SSSS* obviously.

  *(Super Secret Spy Shit)
  

  Thanks for this!

  Was this post helpful? thumb_up thumb_down

• Brian Nielsen wrote:

  What wrong with keeping them in the head :)
  

  Because some people can't remember passwords......😊

  Julie
  

  Was this post helpful? thumb_up thumb_down

• Even if for some reason you copied a password out of a password manager, a good password manager will clear that from your clipboard. I have no clue if it's retrievable after this point though, but it;s still more secure then having someone being able to just open a document and pasting in your password.

  Was this post helpful? thumb_up thumb_down

Read these next...

• 

  What's the worst marketing buzzword you've seen? 2022 Edition!

  Spiceworks Originals

  Dilbert by Scott Adams Over the years, we've seen many conversations in our Community where IT professionals have discussed the use of buzzwords, from "cloud" to "Internet of Things" to "Future Proof." And as technology keeps changing, so do the buzzword...

• 

  Sent items rules, how to?

  Collaboration

  Hi all,I have a user whose mailbox is used for sending customer invoices, so their sent items folder fills up every few months because of attached PDF's.I can't seem to find any way to create the rule where this user is the sender and the rule is to kick ...

• 

  Is planned obsolescence a growing issue?

  Best Practices & General IT

  I wanted to bring this up as a discussion because its something I haven't really thought about for a while until I saw a recent tweet/article. It's the idea of planned obsolescence. I will be honest, I have considered the idea of company making faulty gea...

• 

  Snap! NHS 111 outage, Win10 22H2, bartending robots, Who, Me, & more

  Spiceworks Originals

  Your daily dose of tech news, in brief. Is it already Monday? The weekend felt like it went by faster than usual. Speaking of time going by quickly, back on August 8, 1995, when Netscape Communications went public, and turning an unprofitable inter...

• 

  Spark! Pro Series - 8th August 2022

  Spiceworks Originals

  Welcome to another Monday. This edition of the Spark! has been hastily thrown together on my return from a busy weekend. Enjoy it if you can and Spice it up if you please.   Today in History: 8th August 1929 –...

newkirkbefee1983.blogspot.com

Source: https://community.spiceworks.com/topic/1960595-protecting-passwords-encrypted-spreadsheet-vs-password-manager

Share this post