Excel 2007 Encryption Strength
According to the Microsoft whitepaper and a few other MSDN blog sources, the following specs are defined:
- Key derivation is performed using 50,000 iterations[source] of SHA-1 (increased to 100k in SP2).
- Uses a 16-byte (128-bit) random salt.
- AES is the block cipher used to encrypt the document.
- By default, 128-bit key are used. There is a registry tweak to change this to 256-bit.
- The AES block cipher is implemented in Microsoft's CSP / CryptoAPI.
Older versions of Office use RC4, which is now deprecated and not recommended.
In summary, I'd say yes, with a good password this is going to be difficult to crack.
Modern GPU hash cracking tools can reach around 3.2 billion hashes per second on a powerful graphics card. With the default options, the KDF used will reduce that to roughly 64k hashes per second.
Assuming ten characters (a-z, A-Z, 0-9) you're looking at a key space of 840,000,000,000,000,000 (8.4x10^17) possible passwords, so that's around 210 thousand years before you hit a 50% likelyhood of cracking the password.
If you're storing financial information, take a look at these registry tweaks for Office 2007 SP2 that allow you to alter some security parameters. For a decent increase in security, set the CipherKeyBits
value to 256, and the PasswordSpinCount
value to 1,000,000 or higher. At that point, I'd personally trust it to be reasonably safe against even determined attackers. If you're super-paranoid, you could always put the files in a TrueCrypt volume too!