Excel Protection Layers — Sheet, Workbook, File Open, VBA

Layer 1 — Sheet protection

Sheet protection (Review tab → Protect Sheet) prevents users from editing locked cells. It's checked when Excel opens the file: if the sheet is protected and the user tries to edit a locked cell, Excel asks for the password.

The sheet protection password is hashed using Microsoft's SHA-1-based 'sheet protection hash' algorithm and stored as a 4-character hex value in the workbook XML. The hash is intentionally lossy — many passwords map to the same 4-character hash. So 'unlocking' is trivial: any password that produces the matching hash works.

Tools that strip sheet protection don't crack the password — they edit the XML to remove the protectionElement, or unzip the .xlsx, edit sheet1.xml, re-zip. Open-source utilities and Excel macros can do this in seconds. From a security perspective, sheet protection is anti-tamper UX, not access control.

• Mechanism: SHA-1-derived 4-character hex hash
• Strength: trivial — directly stripped from XML
• Use case: prevent accidental edits, not security
• Recovery time: seconds with right tool, no password search needed

Layer 2 — Workbook structure protection

Workbook structure protection (Review tab → Protect Workbook → Structure) prevents users from adding, deleting, hiding, or unhiding sheets. Like sheet protection, it's a property in workbook.xml validated by the same hashing scheme.

Same recovery profile as sheet protection — direct XML edit removes the protection without needing the password. Many online 'Excel password remover' services that promise instant unlock for free work by stripping these XML attributes.

If your locked file allows you to view content but blocks structural changes, you're in this layer. Removable in seconds.

Layer 3 — File-open password (real encryption)

File-open password (File → Info → Protect Workbook → Encrypt with Password) is the only Excel protection that's real encryption. It encrypts the entire file content using AES-128 with SHA-512 KDF (Office 2013+ default, mode 9600 in Hashcat) or earlier modes for older Office versions.

If you don't have the password, you can't see the file at all — Excel won't open it. This is what Hashcat modes 9400/9500/9600 target. Recovery requires actually finding the password, which depends on its complexity.

When people say 'I have an Excel password I forgot', they usually mean this layer. The other layers are recoverable in seconds; this one depends on the password itself.

Layer 4 — VBA project password

VBA project password (Tools → VBAProject Properties → Protection in the VBA editor) protects the macro source code from being viewed. It's separate from the document password — you can have one without the other.

In .xls (Office 97-2003), the VBA password is stored in a structure called the 'DPB' (Data Protection Bytes) inside the project storage. The hash is weak and routinely recovered or stripped via simple binary edits.

In .xlsm (Office 2007+), the VBA password is similarly weak — stored as a 4-character SHA-1 hash that's removable by editing vbaProject.bin. There's no Hashcat mode dedicated to VBA passwords because the recovery is structural (XML/binary edit), not cryptographic.

Tools that 'recover VBA passwords' actually replace the password hash in the file with a known one, allowing the user to enter a new password they know. This works because VBA password protection is verification-only, not encryption.

How to tell which layer you have

If Excel opens the file but blocks editing → sheet/workbook protection (layer 1 or 2). Removable in seconds.

If Excel asks for a password before opening the file at all → file-open password (layer 3). Real encryption, recovery depends on password.

If you can open and edit the file but can't view macros → VBA project password (layer 4). Removable structurally.

Combinations are common: a file might have both file-open password AND sheet protection. The file-open password must be solved first; sheet protection is then trivial to remove.

Confused customers and refund risk

A frequent support pattern is the customer who 'forgot the Excel password' but actually has only sheet protection — which any free tool removes instantly. Charging for this would be wrong.

Conversely, customers who say 'just remove the sheet protection' may actually need file-open password recovery (real encryption work). Identifying which layer the file uses is the first conversation in any password-recovery support flow.

Frequently Asked Questions

Related references