MS Office - Password Protect Documents

  AroundAgain 20:47 24 Feb 2018


As a volunteer for a well-known animal charity, I've been 'tasked' to do the donkey-work re how, as a branch, will comply with the new GDPR (General Data Protection Regulations) as determined by Head Office

One thing I'm needing some help with is Password Protecting documents/spreadsheets/database etc so send as attachments via email (we're not to use Dropbox or OneDrive, as far as I understand).

As many of our volunteers have a variety of versions of MS Office ie 2003, 2010+ and possibly iPads, is there a way such a document can be passworded (easily) and opened in another version / system ,ie Mac/iPad, OpenOffice/LibreOffice etc?

If there is not 'one method' to achieve this then I'll have to contact HO for an alternative method to transfer data :(

Many thanks to anyone who can suggest a workable solutionm.

  Pine Man 10:12 25 Feb 2018

I have password protected Excel Spreadsheets and Word Documents that have opened in all versions of MS Office for Mac and Windows back to 2003. Those documents also open in Apple Mac Numbers and Pages applications and certainly used to open in Open Office.

Basically if a program says it will deal with Microsoft Office documents then the password protection will also work.

  AroundAgain 10:28 25 Feb 2018

OH, fantastic That's exactly what I wanted to hear ;) Thank you SO much, Pine Man. Very grateful :) J

  hastelloy 11:07 25 Feb 2018

Just to be clear - no-one will be able to open pass-worded documents unless they know the password.

  Secret-Squirrel 12:41 25 Feb 2018

......and opened in another version / system ,ie Mac/iPad, OpenOffice/LibreOffice etc?

If the attachments are for viewing only then have you considered PDF? It's the universal format that can be read on all devices. Later versions of Office have the ability to export to PDF and password-protect it too. Although only Word, PowerPoint, and Excel PDFs can be password protected from within Office.

Have you thought how you're going to disseminate the password? You obviously can't send it by email. You could perhaps announce the password at a volunteers' meeting or perhaps make the password a phone number that only members will know.

  AroundAgain 13:34 25 Feb 2018

Thanks for all the responses ;)

@hastelloy - "Just to be clear - no-one will be able to open pass-worded documents unless they know the password."

You mean I have to let others know the password? You have to be joking, yes? Doh!!! ;) LOL

@mrcalif - "MS Office passworded documents. Especially Excel are pretty easy to hack to gain entry."

Tough. We'll be using extra strong passwords, such as 4321, coz some of the volunteers are definitely not IT savvy. ;)

Seriously though, we can only do what we can do. For years data has been sent either in the body of the email or in attached documents (without passwords) so taking extra security measures and passwording is certainly a step up and in compliance with Head Office's stipulations. In due course, there will be a more secure method (so I'm led to believe) using the charity's selected server etc for sending personal data in relation to the charity. So, emailing is just a temp measure but I suspect passwording will become the 'norm'

@ Secret-Squirrel - we already use pdf as a 'universal' document which has the benefit that the contents can't be altered, as such.

However, my need is not to protect the contents of the document being edited, but to protect the document from unauthorised prying eyes while in transit, so to speak. In fact, the ability to edit may well be a necessary requirement.

"Have you thought how you're going to disseminate the password" - yes, I'm working on this but it's not an easy one. The simplest way would be to text the password to the recipient/s. Although we've been told (by HO) that we can email the password in a separate email, I feel that rather defeats the object as, if someone 'hacks' into account, they'll have access to the password too!

I'm not keen on a single password which, although easier to manage in the short term, it wouldn't be long before 'word' got around, I'm sure. Certainly, there would be too much chance for this 'insecurity' so I don't think that would be acceptable.

Personally, I'd like some sort of 'system' to generate a password but, of course, not everyone will be of the same mind. We will be discussing this at Comm meeting tomorrow evening, amongst other DPA implications but I do like to have some ideas up my sleeve ;)

Any suggestions re creating/passing on passwords are very welcome. Please bear in mind that 'non-savvy' users will be involved too, so needs to be simple etc too

Many thanks J

  Forum Editor 15:46 25 Feb 2018

"MS Office passworded documents. Especially Excel are pretty easy to hack to gain entry."

Before Excel 2013, that was certainly true, but from 2013 onwards, Excel files have been far better protected. Excel file passwords are stored as a hash, and from Excel 2013 that hash has been considerably increased in length. A determined hacker would get in, but a sense of perspective is needed here...

Presumably, the data stored on these files is the personal data of registered members but does not include financially-sensitive information - like bank account or credit card details. You should not be storing sensitive bank and card details unless you can demonstrate that it is absolutely necessary for the conduct of the charity. If you need to process card payments, it is far better to get a third-party payment processor to do it for you. Companies that do this have very robust security measures in place.

Assuming that it's only names, addresses, email addresses and phone numbers you should be fine, provided you password-protect your file when saving it as a PDF. In Office 365, I can choose a password of up to 32 characters in length but eight or ten characters is my usual default. In my case, I am handling names, addresses, email addresses, and telephone numbers, and I change the file passwords every eight weeks. I distribute the files to a small group of people on Password-protected USB sticks, but I send the passwords via email. The emails have a special subject line that is a pre-arranged code-word unrelated to the subject. There is no text in the email, just the eight or ten character password, and the email address I use to send from does not contain my name, or anything that could hint at the subject matter. It would be meaningless to a third party. The passwords are sent once the people concerned have acknowledged receipt of the USB sticks.

Choose an alpha-numeric password that contains a random mix of letters and numerals. It's not difficult to device a system for new passwords, but be wary of doing it - systems make it easier for people to guess - once they have this month's password, they can take a reasonable stab at next month's. Store the current password very securely, and get your file users to do the same - preferably, it will be kept in a different physical location to the file it protects.

One of my clients wanted something even more secure, so I told her to distribute four files - one is a list of names, the second is a list of addresses, the third is email addresses, and the fourth contains telephone numbers. each file has a different password, and of course the individual files are relatively meaningless - you need to open at least two of them before you can begin to personally identify an individual.

You can add all kinds of refinements, but you need to make a risk assessment before you make a decision - a third party can't access data without first possessing the file. Keeping the actual file stored safely is just as important as protecting its data.

Frankly, the biggest risk when handling personal data in an organisation can be the people to whom you send it. The bigger the number of people with access to files, the greater the potential risk. Under the terms of the GDPR, any organisation can appoint a Data Protection Officer, although you are not compelled by law to appoint one unless your organisation falls into certain categories, or processes personal data on a large scale. A DPO is personally responsible for compliance, and for ensuring that anyone in the organisation who handles the data understands his or her responsibilities with regard to security.

  AroundAgain 18:09 25 Feb 2018

Thanks FE

Your post is very informative. However, we are talking about volunteers here, many of which are quite 'mature' and only use a computer/device for everyday things, plus some documents/emails that are required.

Consequently, we have to keep it all very simple, easy to explain/understand and, definitely, easy to implement.

Mostly, the 'data' sent contains name, address, telephone no and email which, now, is not to be sent in the body of email but in a passworded document. Also, spreadsheets are emailed to Treasurer and Database (MS Access) to some particular other volunteers of the branch.

The more 'savvy' volunteers are using Excel and/or Access but of different versions, of course. The most emails that need to be considered here are the 'one off' details pertaining to an individual who has just handed over/adopted one (or more) of our felines. It is the latter that the 'lesser savvy' will be involved with.

As for lengthy passwords and saving the document in a separate folder etc, I feel this is not required at our level, although I appreciate the need for such high levels of security in certain environments. We all work from our homes, on our own computers/devices, rather than in an office environment etc. As long as the computer A/c is secure and not accessible by other members of the family etc, or perhaps kept in a passworded folder, I believe that is the level of security we are to meet.

Many thanks for your advice. It's certainly much appreciated J

  Secret-Squirrel 18:34 25 Feb 2018

Although we've been told (by HO) that we can email the password in a separate email,............

I'm not so keen on that as well. Most emails travel through the ether unencrypted so they can be read if intercepted. ISP staff may also be able to read messages stored on their servers.

I'm not keen on a single password which, although easier to manage in the short term, it wouldn't be long before 'word' got around, I'm sure. Certainly, there would be too much chance for this 'insecurity' so I don't think that would be acceptable.

Be aware that if you change the password too often then it's likely to cause confusion - especially with older, 'non-savvy' users. You will end up getting contacted by users saying "I can't open the attachment - the password doesn't work".

I used to work on an IT helpdesk and the company policy was to force users to change their Windows password every thirty days. I seemed to spend most of my time resetting passwords for users who'd forgotten what it should be.

  AroundAgain 19:05 25 Feb 2018


I started typing a reply, got distracted, refreshed the page and so lost what I'd already written. Doh! :(

Yes, I agree with what you are saying and it must have been so frustrating on the Help desk.

I think I have come up with an 'easy' method to create a password, with a 'text' backup if necessary. It just has to be very simple and easy to implement.

Of course, at the Committee meeting tomorrow evening, someone may well have a very good, workable method to suggest too. Then it will be up to the Committee to agree to trying these methods.

If something better is suggested, then I'm 'all ears' ;)

  Forum Editor 22:22 25 Feb 2018

"We all work from our homes, on our own computers/devices, rather than in an office environment etc."

I see, that changes the situation somewhat. I was under the impression that we were talking about a charity office situation. The charity's head office management team will ultimately be responsible for data processing under the terms of the GDPR, and it's obviously up to them to ensure compliance within the organisation.

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

Pokémon Sword and Shield preview

Best Office Chairs for the Studio and Home

macOS Catalina Preview: First look at the new Mac update

Que faire si votre iPad ne se charge pas ?