protection - excel easily defeated - ouch!

hi,

just looking for some guidance here.

I have written an app (I has concerned about using excel as a basis for this application but was forced down this route anyhow).

Basically the requirement was to add a authentication process to a excel spreadsheet given me. To achive this used an excel vba script using locked cells/worksheet/workbook protection. The actual authenication check was done via a set of calls to secur32 to requiring the user to re-authenticate themselves to our lan. (no problems with all this so far)

the net effect is now i had something Im happy with except i am dependant on excel worksheet/workbook passwords not being easlily breakable.

then i came across this

http://www.mcgimpsey.com/excel/downl...lpasswords.xls

this script will unprotect the worksheet and workbook without a password. Even when I use a strong password (including uppercase, lowercase, numerics and several special characters!!) - i have played with the cryptographic providers off the advanced tab but think that this only relate to encryption of the whole worksheet when saved
(not the worksheet/workbook protection passwords that this script removes)

Even my comples password were decryted within 5 minutes (and my machine is only 1.7ghz!)

meaning as far as i can see it locking off area of spreadsheet via locking cell & applying worksheet passwords is a load of junk and excel not up to it!
(Am i being to hard here? - is there something i have missed?)

if anybody has any thoughts, please let me know.

appreciated - many thanks, AJP

Well you have done what they have asked for.

That it can be easily broken, well they insisted on excel spreadsheets...

You can give them the working protected version as you have it, but put in black and white that excel passwords can be broken, fairly easily, by techy people.

Depends on the data stored. If in doubt, check with our data protection officer (type) person. Are the users of the spreadsheet techy, or likely to want to bypass your program?

Offer alternatives (mysql, sql server, access, oracle or some other database?) for protecting data yet having the access available.

hi,

thanks for you comments - atleast im not missing something simple.

Im doing just as you have said - written a large document on my thoughts about excel security.

The users? -The people questioning are business-controls therefore are only interested on whats tectnically possible and not what the user will actually do in the real world.

thanks, AJP

ps - we have a db soution with a web frontend - rejected apparently was overkill - oh well such is life.. think I have just nicked it and been caught in the slips :)