Case Study Password Cracking

The password hacking schemes were very easy in Excel 97 and Excel 2000.The password cracking software could immediately locate the actual password in the VBA project and report it to the software user.

Then, in Excel 2002, Microsoft offered a brilliant protection scheme that temporarily appeared to foil the password cracking utilities.The password was tightly encrypted. For several months after the release of Excel 2002,password cracking programs would have to try brute force combinations.The software would be able to crack a password like "blue"in 10 minutes. But given a 24-character password like *A6%kJJ542(9$GgU44#2drt8,the program would take 20 hours to find the password.This was a fun annoyance to foist upon other VBA programmers who would potentially break into your code.

However,the next version of the password cracking software was able to break a 24-character password in Excel 2002 in about two seconds.When I tested my 24-character password-protected project, the password utility quickly told me that my password was XVII. I thought this was certainly wrong, but after testing, I found the project had a new password of

XVII.Yes, this latest version of the software resorted to another approach. Instead of using brute force to crack the password, it simply wrote a new random four-character password to the project and saved the file.

Now,this causes an embarrassing problem for whoever cracked the password.The developer has a sign on his wall reminding him the password is *A6%kJJ542(9$GgU44#2drt8.But,in the cracked version of the file,the password is now XVII. If there is a problem with the cracked file and it is sent back to the developer, the developer can't open the file anymore.The only person getting anything from this is the programmer in Estonia who wrote the cracking software.

There are not enough Excel VBA developers in the world.There are more projects than programmers right now. In my circle of developer friends,we all acknowledge that business prospects slip through the cracks because we are too busy with other customers.

So the situation of a newbie developer is not uncommon. He does an adequate job of writing code for a customer and then locks the VBA project.

The customer needs some changes.The original developer does the work.A few weeks later,some more changes and the developer delivers. A month later,the customer needs more work. Either the developer is busy with other projects or he has under-priced these maintenance jobs and has more lucrative work.The client tries to contact the programmer a few times,then, realizing he needs to get the project fixed, calls another developer—you!

You get the code. It is protected.You break the password and see who wrote the code.This is a tough call.You have no interest in stealing the guy's customer.You would prefer to do this one job and then have the customer return to the original developer. However, because of the password hacking, you've now created a situation where the two developers have a different password.Your only choice is to remove the password entirely.

0 0


Post a comment