Why you should not password protect a Word document

in , , ,

Why Word password protection is not secure & how to unlock a doc

This blog will guide you through the process of protecting a Word document, but we’ll also answer an important question: is Microsoft Word password protection suitable in a business environment?

  How does Microsoft Word password protection work?


Despite heavy competition from the likes of Google Docs, Microsoft Word has remained the text editor of choice for many businesses.  It’s used for anything from note-taking to documentation, contracts, reports, and legal documents.  Given the sensitive nature of some of these documents, it’s natural that businesses want to secure them.  Microsoft Word uses simple yet effective encryption for its document protection.  While the document remains encrypted, it cannot be read – presenting itself as a jumble of numbers and letters to anybody who does not hold the decryption key.  Entering the password allows a user to decrypt the document and therefore view and edit it.

Microsoft Word has another, lesser-used password protection that controls whether or not users can edit.  This does not use encryption and is instead enforced by the software, which disables the ability to type, delete characters, and modify formatting.  We’ll talk about both methods today, covering:

  1. The problem with password-based encryption
  2. How to password protect a Word document to prevent opening
  3. How to password protect a Word document to restrict editing
  4. How to hack a Word document which is password protected
  5. How to encrypt a Word document for email
  6. A better way to encrypt and protect documents

  The problem with password-based encryption

How secure is an encrypted Word document?

All password-based encryption mechanisms share the issue of making a strong encryption algorithm (such as AES) far less secure. Instead of requiring a long, complex, and randomly generated encryption key, an attacker needs only a human-created, often short and simple, encryption password.

This fact applies to Word documents as well as when you password protect Excel, PDFs, password-based folder encryption, etc.  And make no mistake – after decades of passwords being used for everything from social media to bank accounts, tools have become very effective at cracking them.

The bigger issue, however, is not that passwords are crackable, but that they are shareable. Any legitimate user you give the document to, along with the password, can share both with an unauthorized party. This could be intentional, in the case of an internal leak, or unintentional, through social engineering, the storage of the password in an insecure location, etc.

The same applies to the document’s contents. If there are no additional editing or copy-protection controls, a user with the password can copy the content to another file, email, or text chat and share the file that way.

Ultimately, then, password encryption only protects documents from being intercepted and when they are sitting on the recipient’s PC, unopened.  But even then, due to the human nature present in password choice, it is of limited effectiveness.

So, what about Word’s built-in editing protection?  Is that effective at preventing sharing?

  Restrict editing in Word: is it effective?


As you would expect, Word’s restrict editing feature has the same issue as any other password protection: sharing and cracking.  However, in this case it’s worse than that because the document has already been decrypted.  A user can easily:

  • print the document to a PDF
  • copy and paste content into another document
  • save it as another document type and then convert to Word
  • screenshot it and run it through an OCR tool.

The restrict editing tool, then, is mostly there to prevent somebody from editing a document accidentally, rather than offering any real protection.

   Why password protected links do not work


Another popular way to create and share a password protected Word doc is using OneDrive.  Users can upload their document to the cloud service, share it as a link, and then modify the link-sharing settings to require a password.

This makes fundamentally no difference to security.  It has the same flaw as any other password protection: users can share the password along with the link.

OneDrive’s editing and copying controls are also flawed. On regular versions of OneDrive, you cannot prevent downloads, and downloaded copies are not protected. While enterprises with a SharePoint license can stop downloads, users can still copy and paste or screenshot, as covered in SharePoint security.

   How to password protect a Word document to prevent opening


As we discussed password-protecting a document in Word will not stop leaks or unauthorized sharing. It can, however, be useful to protect documents before they are opened.  Here’s how to encrypt a Word document with a password:

  1. With the document open, press “File” in your ribbon, then “Info”.
  2. Click on the “Protect Document” button and choose “Encrypt with Password” from the list.
  3. Enter a strong, unique password and press “OK”.
  4. Enter the password a second time to confirm it. Press “OK”.

    Word has now encrypted your document.  Next time you open it, you will be prompted to enter the password before you can view its contents.

   How to password protect a Word document to restrict editing


Microsoft Word’s editing protection isn’t good for much (it does not use encryption), but it will stop you or a recipient from accidentally changing the contents of a document.  You can also enable it very quickly via the “Review” tab.

  1. Open the “Review” tab of your ribbon and click “Restrict Editing”.
  2. In the “Editing Restrictions” section, choose the type of editing you’d like to allow via the dropdown.  If you don’t want users to edit the Word document then select the option ‘No changes (Read only)’.
  3. Press “Yes, Start Enforcing Protection” and enter a password. Press “OK”.

    You’ll see that when you try to edit text the “Restrict Editing” sidebar will appear.  Users will have to press “Stop Protection” and enter the password before they can edit the document.

   How to hack a Word document which is password protected


If you forgot the password to your password-encrypted Word document, it is possible to recover the file.  In fact, if you only applied a password to restrict editing, this is trivial.  For documents that were encrypted using a password, the process will be much lengthier, requiring a brute force attack.  Let’s start with the easy option.

  How to unlock an edit-restricted Word document without a password

The easiest way to unlock a Word document with Restrict editing applied is to not unlock it all.  Though Word disables editing, it doesn’t disable other functionality that enables you to bypass editing restrictions.

3 simple ways to remove restrict editing in Word
  1. Copy and Paste: Select the text and images in your word documents, press Ctrl + C, then press Ctrl + V in a new document.
  2. Print to PDF: Press ‘File > Print’. Select the printer ‘Microsoft Print to PDF’ and then press the Print button.

    Open the PDF in Word, then save it as a Word document again.
  3. Save as PDF: Press ‘File > Save As’. From the save dialog, choose PDF from the ‘Save as type’ dropdown.

    Open the PDF in Word and save as a Word document.

It’s as easy as that.  Any of these methods will remove the protection in less than a minute.

Unlock your edit-restricted Word document with a Word file password cracker

If, for whatever reason, you want to keep the original document intact, you can unlock the edit-restricted document using a password recovery app instead.  There are various paid options out there – just Google “Word password recovery”.  We’ll be using Passware because its free trial allows you to see if the unlock was successful before you purchase.

Unlocking a Word document using such software is easy.  After installing the trial, just:

  1. Browse to the file and press “Open”
  2. Wait a few seconds for the software to remove the protection.

You can buy the software to gain access to the file.  It should be able to remove the restrict editing password 100% of the time, as there is no encryption involved in Microsoft Word’s controls.

  How to crack password encrypted Word document

Unlocking a password-protected Word document that uses encryption is going to take time if you do not already know the password.  How much time will depend entirely on how long and complex the password was used to protect the document.  Either way, you’ll have to use paid software to do so, such as Elcomsoft Advanced Office Password Recovery, though it does not have to be too expensive.

We’ll be using Passware because its free trial tells you part of the password for free, allowing you to be sure the document can be unlocked before paying.  Here’s how to use it:

  1. Browse to your document and press “Open”.
  2. Choose the “Run Wizard” option.
  3. Enter any details you already know about the password and click “Recover”.
  4. Wait for the software to find the password.
  5. Purchase the software if it is successful and open the unprotected file.

Depending on the password length, how much information you’re able to provide, and your PC’s specs, this process could take anywhere between seconds and years.  In our testing, the software was able to crack a simple four-character password in about four seconds.

Of course, the easiest way to crack longer passwords will usually be to either ask somebody who knows it or perform a social engineering/phishing attack.

   How to encrypt a Word document for email


If you want to encrypt a Word document for email, you can just password-protect it in Microsoft Word and then send it using any email application such as Outlook, Gmail, etc.  However, you also have to find a way of securely transmitting the password to the recipient so they can open the encrypted Word document.  This can become cumbersome if you have multiple files to encrypt and send to multiple recipients.

A more secure way of encrypting a Word document for email would be to use PGP encryption (it uses public key technology instead of passwords) and encrypt the Word document as an attachment.  Alternatively you can use a dedicated secure email app or service such as Hushmail.

If you want to encrypt a Word document and control how it can be used after it has been decrypted (i.e. prevent the user passing it on, copying text, printing it, etc.) then the only way you can achieve this is by using DRM or Digital Rights Management restrictions.  See How to send a secure PDF file or attachment by email for how to achieve this.

   A better way to encrypt and protect documents


Microsoft Word’s protection is not suitable for document sharing in a business environment or for protecting confidential and sensitive information. Its editing protection is basically useless, and its password encryption is only suitable when the document is in transit or at rest.

For serious protection of sensitive and confidential documents, organizations should use a document DRM solution instead.  Document DRM is designed to protect your file in all situations while retaining modular controls.  Here’s how Locklizard PDF DRM works:

  1. You encrypt a PDF on your local PC and add any DRM controls you desire.  These can include anti-screenshotting and copying techniques, printing controls, watermarks, device/location locking, and more.
  2. The protected PDF is saved to your disk as a .PDC file and a record of the document is recorded on the Admin System.
  3. You create a user account for each person who you want to be able to view the document.
  4. Users receive an email with a license file and a link to download the Safeguard secure viewer.
  5. After installing the viewer, the user clicks the license file to activate it on their PC.  Once activated, the license file cannot be registered elsewhere (unless otherwise specified).
  6. You choose which documents users can access via the Admin System.
  7. You send the encrypted PDF file to users just like any other file (via email, file sharing, messaging, etc.)
  8. The user opens the PDF with their secure viewer application.

The licensing server transfers the decryption keys from the server securely, transparently, and only to authorized users that hold a valid license file.  Once received, the keys are saved in an encrypted keystore that cannot be shared with other devices.

As a result, users without a valid license cannot decrypt and view the file. Those who do have permission to view the file cannot edit or otherwise share it, as its contents are only ever decrypted in memory. The secure viewer application also prevents editing, copying, screenshotting, and printing (if desired).

Of course, while PDF DRM like Locklizard offers far better protection, it’s also an additional cost.  So you need to decide: how important is document security to your business?  Do you often share sensitive documents with untrusted parties, or will simple password protection do?  Ultimately, only you can decide – but do not underestimate the impact of a leaked document on your business or how far people are willing to go to break your security.

   FAQs

What type of encryption does Microsoft Office use for Word and Excel files?

All Office files (Office 2016 and above) that you password-protect are encrypted with AES 256-bit.  Office 2010 and above uses AES 128-bit.  Older versions of Microsoft Office use a proprietary encryption algorithm.

Is Microsoft Word safe?

Microsoft Word is safe to use for day-to-day tasks; you just shouldn’t rely on it when sharing sensitive and confidential information.

What is Microsoft Word’s encryption strength?

Word uses AES 256-bit encryption

How secure is an encrypted Word document?

How secure Word encryption is depends on what you are trying to achieve:

  1. To restrict access.  If you use a strong password to protect a Word doc then it is as secure as any other type of password encryption.  If the password is unknown, attackers will have to use password removal software to try and crack it.
  2. To prevent sharing.  If you lock a Word document with a password to prevent unauthorized sharing then it is not very secure since an authorized user can share the password with others or simply remove it.
  3. To prevent editing.  If you want to restrict editing in Word then you are wasting your time since the security can be easily bypassed.
What is Word read-only mode?

This option enables users to view a Microsoft word document but not edit it.  However, it does not prevent users copying content into another Word doc, saving it to another format or printing it to a file driver – all of which defeats the purpose of a read-only mode.

You select read-only mode in the Restrict Editing section.

Does adding a Digital Signature make a Word doc more secure?

A digital signature is an invisible signature used for authentication purposes.  It differs from an electronic signature (a visible image of your written signature) but can be used in conjunction with it.  A digital signature is an encrypted stamp of authentication and is created by using a signing certificate, which if issued by a reputable Certificate Authority, proves identity.

Adding a digital signature to a Word doc confirms that the information originated from the signer and has not been altered.  Recipients need your certificate and public key to verify the signature.  So if users remove editing restrictions from an Office document and alter it after it has been digitally signed then you will be alerted to this.

Does Word only have a password option to protect docs?

No, you can restrict access and prevent editing, copying and printing by using Microsoft Rights Management Services (RMS).  This uses cryptographic keys instead of passwords to protect content.  Additional controls such as expiry, and tracking is also available in Azure RMS (the cloud version).  However, Microsoft RMS can be bypassed by any user with view access via the use of a simple .exe file published by researchers years ago.

How do I create a simple Word file that is password protected?

Follow the instructions in this guide:

Bear in mind that the security is pretty useless so should not be used for the protection of sensitive and confidential business documents.

Does Locklizard protect Word docs & other Office file types?

Locklizard does not protect Office files in their native format.  If you want to encrypt a Word document with DRM, then just like if you want to protect PowerPoint presentations, you have to convert Word to PDF and then protect it.

If you want to lock a Word document from editing, copying, copy paste, sharing and printing then save it as a PDF file before protecting it with Locklizard Safeguard.  Wtih Locklizard you can also lock a Word document to a device and location, add expiry, and remotely revoke access.

How can you make a Word document expire?

There is no option in Word to make a document expire.  You have to use MicroSoft RMS (used by Azure 365 and AD) or another form of DRM.  The same applies if you want to prevent a Word document from being printed, copied, edited, or shared.

Locklizard enables you to expire Word docs that have been converted to PDF format.  You can make a document expire on a fixed date, after a number of views, days or prints.

Can I recall an encrypted Word doc via my email client?

While you can recall sent emails and their attachments (see how to recall an email in Outlook), this functionality is much more limited than the revoke feature in a DRM solution such as Locklizard.  The Outlook recall feature only works with emails that have not been opened, are sent to an Outlook or exchange address, and are within your organization. Gmail’s unsend feature requires you to act within thirty seconds of sending an email.  In practice, these features aren’t very useful for document security.

What advantages does Locklizard provide over Word password protection?

Locklizard does not use passwords to protect Word documents, so there are no passwords for users to share or for tools to remove.  We use secure and transparent key management with a licensing system, AES 256-bit encryption, and DRM controls.

Locklizard gives you full control over your documents:

  • Stop sharing
  • Prevent copy paste
  • Prevent editing
  • Prevent printing or allow degraded and watermarked prints
  • Stop screenshots
  • Add permanent and dynamic watermarks to identify users
  • Expire files automatically on a date, after a number of days, opens, or prints
  • Lock use to devices and locations
  • Track use
  • Revoke access remotely at any time

Locklizard provides the same level of security for offline and online files, and there are no complex policies or keys to manage.

How to protect a PDF securelyWhy Google Docs watermarks are not secure