Are there huge drawbacks to using an excel 2010 document for password management?

At my old job, we used an open-source, (IMO) secure method for managing network infrastructure, and other important hosts' passwords [with Keepass]. At my new job however, it seems like they're using password-protected excel spreadsheets.

Before I made a fuzz about password security, I browsed the interwebs and found that Microsoft has been getting better at implementing encryption features to their office products.

Main questions:

  • How safe is MS Excel/office 2010's password encryption feature? I've been thinking this was an insecure way of dealing with passwords, is this not the case any more?
  • Are there many drawbacks to using an excel 2010 document for password management?

Solution 1:

I wouldn't recommend it. There ARE still methods of cracking these quite easily. I personally recommend a Truecrypt volume that contains a Keepass database. It servers me well and is extremely portable. And I'm using it in an environment with thousands of passwords.

EDIT: And Keepass is already well laid out for password management. With a nice GUI(i.e., easy to see what password is which type) and built-in password generators...can't go wrong.

Solution 2:

Microsoft has made great strides with encryption in each release of Office -- Office 2000 encryption was a complete joke. Office 2003 encryption was substantially better, and office 2010 is better still.

Having said that, Excel is NOT designed to be a secure password store, and I would NOT trust it as one.
Many people lose their Office document passwords every day -- because of this there are many motivated people working on ways to recover document passwords (or alternatively decrypt the documents), and if someone discovers a way to break Excel document encryption you can expect that MS Office users the world over will be hailing them as a savior (while malicious attackers are decrypting your document and stealing your passwords).


Password security should be taken seriously: Time may be "of the essence", but a substantially greater loss (in man-hours and potentially real dollars) will result from a security breach.
Take the time to implement a proper, well-though-out solution (like Keepass). It will serve your company better in the long run.
Until that time I suggest a PGP-encrypted file, and to provide emergency access to management KeySure boxes (which also show you that the password was accessed, as you must break the box apart to get at its contents).