Build Secure Application Passwords

I’m using the V3.0.0 at this moment. Big thanks to the XLS Padlock team for their great effort to release this version.

I put randomised-customised passwords of 256 characters in length into Workbook Password/ Application Secret Key/Application Secret ID/Application Master Key/ Application GUID/Security Private Key with the hope that this may somehow increase the security of the protected-compiled workbook. But the XLS padlock crashed instantly when I clicked the build button. So here is my question:

What are the requirements for passwords/keys to be used in XLS Padlock?

Thank you for your kind words!
The crash problem may be related to the Workbook Password. Did you password protect your workbook source file?
Were you asked about an error report?

No, I didn’t password protect my workbook. And yes, I was asked to send an error report.

We didn’t receive your bug report. Avoid filling the “Workbook password” if you don’t use one and see if it helps.

I didn’t send the error report for some reasons. I like the additional security feature by protecting the workbook by password as mentioned in the Section of the user manual. I expected that the provided password is encrypted and safely stored within the compiled exe file, and I hope this would challenge attackers by providing another hoop if they somehow can strip the workbook from the exe file or from the virtual hidden drive during running time.
I reduced the password length to 253 characters for all mentioned passwords, and they work. This would be adequate for me as long as they are encrypted and stored safely within the EXE file.

Could you please confirm if the passwords saved in the compiled EXE are encrypted or not?

Yes, they are encrypted in the EXE. You won’t find them just by opening the EXE in a hex editor.

That’s a good news. A big thank for that.

My apologies for the misleading information regarding the 253 characters passwords length mentioned in my earlier post. There was no error when compiling to EXE, but they did NOT work for me when I tried to run the compiled EXE file. An error message popped up saying something about the wrong password though I did cut and paste them carefully into the XLS Padlock.

I would like to confirm that: the 128-character length passwords works for me for all fields required passwords, EXCEPT the workbook password. I had to reduced the password length to 96 characters to make it work.

Hey XLS Padlock team - can you please double check this and let everyone know the passwords requirement ie. minimum/maximum length, supported characters etc.?

Also, could you please confirm if there is any backdoor built into the software that could allow XLS Padlock team can de-compile the compiled EXE workbook?

Normally Excel workbook passwords are not limited, but maybe it’s the case for the internal API. We’re checking this.
For other fields, there is no restriction because they are not directly used by Excel but XLS Padlock and we can deal with up to 256 characters.
No, there is no built-in backdoor. However, if we wanted to do it, we could still extract the secure workbook if we have access to your EXE file and the XLS Padlock project file, but:

  • formula protection will remain.
  • VBA code compiled with the VBA compiler remains in bytecode.

That’s why we always recommend to move some VBA parts to our VBA compiler. And we don’t have any reason to decompile EXE files. If we require the workbook of someone for testing purposes, we ask the permission and even sign a NDA if required.

Thanks for your transparent explanation. Highly appreciate it.