Coffeehouse Post

Single Post Permalink

View Thread: Excel 2013 Performance Issue
  • User profile image

    It's not a stronger encryption algorithm - it's better a better key derivation algorithm.

    Basically what's going on is that people suck as suggesting good passwords, and consequently an attacker will usually be able to guess your password for a file within a couple of billion guesses for good passwords and a couple of million for less good ones.

    For an attacker, the length of time each guess takes is now really important. Whereas a user spends most of his time using Excel, an attacker spends most of his time trying to decrypt the first block of your file to see if it's been decrypted. This means that upping the length of time to derive a key from a password has a disproportionately negative effect on an attacker compared with on a user.

    For example, if Microsoft choose a key derivation algorithm that takes, say, half a second (up from a millionth of a second) to turn a password attempt into a key to test, then the startup time for Excel goes from say 10 seconds to 10.5 seconds - an overall trivial inconvienience to the user.

    Now let's say that your password is good enough that it takes 10 billion guesses (say a seven letter "good" password). It used to take an attacker 2 and a half minutes to brute force to get in; it now takes 158 years.

    Effectively what you're seeing is this is practice. Microsoft is upping the strength of the key derivation algorithm to help protect your file from having the password brute forced by attackers.

    What's perhaps slightly less obvious from your example, is that this has been happening since Excel 2003. Each revision ups the key derevation complexity in order to "catch up" with technology making longer lengths more acceptable to users (who have better hardware) whilst still keeping brute force out of reach of attackers, who also have markedly better hardware than when previous versions of Excel were released.