2.2.9 Password Verifier Algorithm

Several protection records BrtBookProtection (section 2.4.308), BrtSheetProtection (section 2.4.783), BrtCsProtection (section 2.4.342), BrtRangeProtection (section 2.4.754), BrtRangeProectionIso (section 2.4.756), BrtRangeProtectionIso14 (section 2.4.757), BrtRangeProtection14 (section 2.4.755), and BrtFileSharing (section 2.4.671) use a password verifier to provide a locking and unlocking system for viewing or editing parts of the workbook. This password verifier is used to prevent accidental editing, and is not designed to be used as a security feature. The verifier value is calculated in two stages. First, the provided Unicode password string is converted to a new character string in the ANSI codepage of the current system using the algorithm specified in the revisionsPassword attribute in [ISO/IEC29500-1:2016] section 18.2.29. Second, this string is input into the XOR obfuscation algorithm specified in [MS-OFFCRYPTO] section 2.3.7.1, Binary Document Password Verifier Derivation Method 1 to produce a 16-bit password verifier value.

See section 4 for information about security concerns related to the use of this algorithm for password verification in this file format.<4>