Another major tech news organization has picked up and flogged another red herring about a hack to Word’s password-protection feature.
Another major tech news organization has picked up and flogged another red herring.
“A simple hack to Word’s password-protection feature means documents may not be as secure as users believe. No fix is on the way, says Microsoft” shouts the headline. What a crock.
Here’s what happened. A very clever guy named Thorsten Delbrouck posted a very clever password hack on Bugtraq a couple of weeks ago. The hack involves going into a Word document with a Forms password and re-setting the password (actually, the password’s checksum). Once the password is reset, you can un-password-protect the document by providing a blank password.
Maybe that sounds menacing to you, but to me it’s as ho-hum as the discovery that “hiding” an Excel column or worksheet doesn’t hide anything at all, or that hidden cells can be copied. Those aren’t security settings. They’re just features that help to keep people from shooting themselves in the foot. Permit me to explain.
If you’ve never constructed a Form in Word, you’re lucky. Word Forms are based on Word templates, but you add very specific kinds of fields to the templates: fill-in-the-blanks boxes for users to type stuff; check boxes; drop-down boxes; and the like. So part of the Form is “fixed” and part of it gets filled out. Conceptually, it’s pretty easy.
There are tools in Word to perform rudimentary data validity checking, make simple calculations, and in general make a Form behave like a form. (In fact, there are much better tools available these days for creating Forms, but I digress.)
Once you’ve built the form, you want to keep people from changing the “fixed” part – say, if you calculate a total, you don’t want the person filling out the form to be able to type over the top of your calculated value. That’s where password protection comes in. With Word 2002 and earlier, you click Tools | Protect Document, click the button marked Forms, and type in an optional password. In Word 2003, click Tools | Protect Document, and you get a pane that includes “Editing Restrictions”. Pick Filling in Forms from the drop-down box, click Yes, Start Enforcing Protection, and you can provide a password if you want to.
If you type in a password, Word doesn’t encrypt the Form, or any document created based on the Form. (Word 2003 explicitly says that. In Word 2002 and earlier, you have to guess, I suppose, but it’s pretty obvious given the context.) The password only comes into play when somebody really needs to over-ride calculated values and other “fixed” parts of the form.
Being able to bypass “Password for Forms” isn’t a big deal. If anyone seriously used “Password for Forms” and thought it would protect a document, they must’ve been operating under several levels of delusions.
Microsoft’s Knowledge Base article gives the lowdown on this and many other “protection” features that aren’t intended to be security features. Well worth a quick glance.