36 character length password doesn't password protect the worksheet. What's the char limit?

Issue #945 invalid
Hussain Tamboli created an issue

I could not find a way to password protect a worksheet in the documentation. But luckily I found it on stackoverflow.

>> from openpyxl import Workbook
>> wb = Workbook()
>> ws = wb.active
>> ws.protection.set_password('test')
>> wb.save('random.xlsx') 

So when I tried editing the sheet, It gave an error dialog saying the sheet is password protected. I tried unprotecting it, Tools > Protection > Unprotect sheet and it prompts me for the password. This is as expected.

In my actual code I was using uuid4 as password, which is of length 36. For this password, unprotecting the sheet didn't prompt me for password. So I guess there is some char limit.

>> from openpyxl import Workbook
>> wb = Workbook()
>> ws = wb.active
>> p = "test" * 9
>> p
>> ws.protection.set_password('test')
>> wb.save('random.xlsx') 

What's happening?

Comments (9)

  1. CharlieC

    The specification contains no further details about the password hash so I have no idea what the problem could be. However, given that the password is related to GUI work only, using a UUID as a password makes little sense.

  2. Hussain Tamboli reporter

    But I have also pointed out that, I tried setting it to testtesttesttesttesttesttesttesttest instead of uuid4. It didn't protect it for 36 char length password. I haven't tried lesser length passwords (35, 34, 33, and so on).

    My point is there could be an issue related to length of the password. Because when I set testtesttesttesttesttesttesttesttest as password manually (Tools > Protection > Protect), it protects it.

  3. CharlieC

    As noted, the specification contains little or no information about the default implementation so we don't know of any limits. I'd hazard a guess that 8 characters is probably the limit. There's no point in trying to use this for anything remotely like security.

  4. CharlieC

    You can find further information from Microsoft https://msdn.microsoft.com/en-us/library/cc313154(v=office.12).aspx.

    The pseudo code for the verifier would seem to suggest a max length of 8 characters.

    FUNCTION CreatePasswordVerifier_Method1 PARAMETERS Password
    RETURNS 16-bit unsigned integer
    DECLARE Verifier AS 16-bit unsigned integer
    DECLARE PasswordArray AS array of 8-bit unsigned integers
    SET Verifier TO 0x0000
    SET PasswordArray TO (empty array of bytes) SET PasswordArray[0] TO Password.Length APPEND Password TO PasswordArray
    FOR EACH PasswordByte IN PasswordArray IN REVERSE ORDER IF (Verifier BITWISE AND 0x4000) is 0x0000
              SET Intermediate1 TO 0
              SET Intermediate1 TO 1
    SET Intermediate2 TO Verifier MULTIPLED BY 2 SET most significant bit of Intermediate2 TO 0
    SET Intermediate3 TO Intermediate1 BITWISE OR Intermediate2
    SET Verifier TO Intermediate3 BITWISE XOR PasswordByte ENDFOR
        RETURN Verifier BITWISE XOR 0xCE4B
  5. Log in to comment