How to is your excel workbook password strong enough to resist cracking?
- Step 1Open the auditor — The Excel password-tester redirects to the Password Entropy Auditor at
/security-tools/password-entropy-auditor. You're testing the password, not uploading the workbook — there is no file input. - Step 2Paste the password that was (or will be) on the file — Enter it in the single Password field (placeholder
Type or paste a password). The value is shown in plain text; since nothing leaves your browser this is safe, but do it where no one can read your screen. - Step 3Click Run Password Auditor — zxcvbn evaluates it locally and renders the verdict instantly. No network request fires — you can verify in the browser's Network tab.
- Step 4Read the crack-time verdict — The report shows the estimated crack time (offline fast hash) from
less than a secondup tocenturies. Anything belowyearsmeans a determined attacker with a copy of the file could realistically break it. - Step 5Diagnose the weakness — Read the
warningandsuggestions. If it saysThis is a very common passwordor the suggestions mention dates and names, you now know precisely why the original password was crackable. - Step 6Pick a replacement and re-protect — Iterate until you reach
Score 4 · centuries, then re-encrypt the file in Excel with the new password via File → Info → Protect Workbook → Encrypt with Password. Assume the old password is burned.
Crack-time verdict, decoded
How to interpret the offline fast-hash crack time the auditor reports, in terms of real risk to a copied Excel file.
| Crack time shown | Risk verdict | What to do |
|---|---|---|
less than a second / seconds | Already effectively broken | Assume the file is compromised if it leaked. Replace the password immediately |
minutes / hours | Cracked in a single attack session | Unsafe for anything sensitive. Re-protect with a stronger password |
days / weeks | Cracked by a motivated attacker | Marginal. Acceptable only for low-value files; strengthen for anything important |
months / years | Hard but not impossible | Reasonable for moderately sensitive data; push higher for material data |
centuries | Practically uncrackable by guessing | Safe. This is the target for any file worth encrypting |
Why specific passwords get cracked (real results)
Actual auditor output showing the patterns that make Excel passwords fall fast. Crack times are the offline fast-hash figures the tool reports.
| Password | Score / crack time | The crackable pattern |
|---|---|---|
Finance1 | 1 · Weak · less than a second | Common password — in zxcvbn's leaked-password list outright |
P@ssw0rd | 0 · Very weak · less than a second | Famous password with predictable l33t substitution |
Summer2026! | 2 · Fair · less than a second | Season + year + symbol; a textbook guessable structure |
Tr0ub4dor&3 | 4 · Excellent · 10 seconds | Scores 4 yet still cracks fast — a single word + l33t is shallower than it looks |
correcthorsebatterystaple | 4 · Excellent · 8 hours | A famous passphrase zxcvbn now recognises — reuse is the weakness |
Cookbook
Real zxcvbn verdicts for passwords that look safe but aren't. Paste any of these to reproduce the exact crack times an attacker effectively faces.
The 'Word + Year' password that falls in under a second
The most common cause of a 'how did they crack it?' incident. A word plus the current year is structurally trivial; the auditor reports a sub-second offline crack time and often names the pattern outright.
Password: Finance2024 Result: Score 1/4 · Weak (similar to a common password) Crack time (offline fast hash): less than a second → If this protected a leaked file, treat the file as compromised.
A Score 4 password that still cracks in 10 seconds
The famous 'Tr0ub4dor&3' scores 4, which feels reassuring — but the crack time is only 10 seconds, because a single dictionary word plus l33t-speak plus a digit is shallower than its appearance. Always read the crack time, not just the score.
Password: Tr0ub4dor&3 Result: Score 4/4 · Excellent Crack time (offline fast hash): 10 seconds → Score 4 is necessary but not sufficient. Demand 'centuries'.
A famous passphrase is no longer safe
'correcthorsebatterystaple' was the canonical good passphrase — so canonical that zxcvbn now lists it. It scores 4 but cracks in 8 hours. The lesson for re-protecting a file: invent your own words.
Password: correcthorsebatterystaple Result: Score 4/4 · Excellent Crack time (offline fast hash): 8 hours → Reusing a known phrase undermines it. Make up unique words.
What actually resists cracking
Four uncommon, unrelated words with separators and a digit produce a centuries crack time — the verdict you want before you re-encrypt a previously weak file.
Password: glacier-pencil-vivid-7-quartz Result: Score 4/4 · Excellent Crack time (offline fast hash): centuries → Re-protect the file with this class of password.
Diagnosing and replacing a burned password
Use the auditor as a post-incident loop: confirm the old password was weak, then build a strong replacement and verify it before re-encrypting.
Old: Q3Report2024 → Score 1/4 · Weak · less than a second (burned)
New: Q3-Report-Maple-Rivet-Cobalt
→ Score 4/4 · Excellent · centuries ✓ (re-encrypt with this)Edge cases and what actually happens
A high score does not guarantee a long crack time
Read the crack timeTr0ub4dor&3 scores 4 but cracks in 10 seconds; correcthorsebatterystaple scores 4 but cracks in 8 hours. The 0–4 score is a coarse bucket. For risk assessment, the crack time is the decisive number — demand centuries for anything you actually care about, not just the digit 4.
This tool estimates cracking — it does not crack anything
Not a crackerzxcvbn models how long a guessing attack would take; it never attempts to break a file or a password. If you've lost the password to an encrypted .xlsx, this tool can't open it, and AES-256 with a strong password is designed to be unrecoverable. The output is a risk estimate, not a recovery service.
It can't tell you what password a leaked file used
Not supportedThere is no file upload and no decryption. You can only score a password you type in. To assess a suspected-breach file, paste the password you believe was on it; the auditor tells you how guessable that string was, which is your best signal for whether the file was realistically crackable.
The crack time assumes the attacker has the file
By designThe reported figure is zxcvbn's offline_fast_hashing_1e10_per_second — 10 billion guesses/sec — which models an attacker who has copied the workbook and grinds it on a GPU offline. That's the correct, conservative assumption for breach assessment; online-attack estimates would dangerously understate the risk.
A non-blank warning means assume the worst
Hard failIf the report shows This is a very common password or This is similar to a commonly used password, the password was in a leaked or common list — for breach purposes, treat it as cracked the instant the file left your control, regardless of any length the password had.
Real attackers crack offline, not through Excel's dialog
Threat realityNobody types guesses into Excel's password prompt. They extract the encrypted blob and key-derivation parameters from the .xlsx and run hashcat/John the Ripper on a GPU. The auditor's offline crack time reflects that workflow, which is why it's the figure to assess your exposure against.
L33t-speak gives a false sense of safety
Low impactSubstituting a→@, o→0, e→3 is the first transform attack tooling applies, so zxcvbn barely credits it — P@ssw0rd scores 0. If your 'cracked too easily' password leaned on substitutions, that's likely why. Length from unique words is the real defence.
Re-using the same password after a breach
Don'tIf a file with a given password leaked, assume that password is compromised everywhere. Don't re-protect the replacement file — or any other file — with it, even if it scores 4. Generate a fresh unique password and verify it here before re-encrypting.
Trailing spaces or hidden characters change Excel's password, not the score
Score is literalzxcvbn scores exactly the characters you paste, so a stray trailing space is included in the estimate but won't move it much. Excel, however, treats x and x as different passwords entirely — relevant if you're trying to reproduce a password from notes.
Sheet protection wasn't really protecting anything
Different threatIf the 'cracked' file was only Protect-Sheet locked (the edit/read-only lock), it had no encryption at all — that lock uses a weak legacy hash and is stripped in seconds regardless of password. Only Encrypt with Password AES-256 depends on password strength; this tool audits that one.
Frequently asked questions
How fast can an Excel workbook password actually be cracked?
Against an AES-256 .xlsx that an attacker has copied, modern GPUs attempt on the order of billions of password guesses per second offline. The auditor reports crack time under exactly this model (10 billion guesses/sec). At that speed, Finance2024 falls in under a second and a fresh four-word passphrase holds for centuries — the gap is entirely the password.
What crack time should I target for a sensitive Excel file?
Aim for centuries (Score 4). Treat anything below years as inadequate for sensitive financial or HR data, and treat seconds or minutes as already broken if the file ever left your control. The crack time, not just the 0–4 score, is the number to judge against.
Does a Score of 4 mean my password is safe?
Not by itself. Tr0ub4dor&3 and correcthorsebatterystaple both score 4 yet crack in 10 seconds and 8 hours respectively, because they're built from single words or famous phrases. A Score 4 with a crack time of only hours or days is still risky — push until the crack time reads centuries.
How is the crack-time estimate calculated?
zxcvbn estimates the number of guesses needed to reach your password given real-world attack strategies — dictionaries, common passwords, keyboard patterns, dates, l33t substitutions — then divides by an attack speed. The figure shown is for the offline fast-hash scenario of 10 billion guesses per second, the realistic threat for a copied file.
Can this tool tell me if my file was already cracked?
No — it has no access to your file and doesn't attempt any attack. What it tells you is how guessable the password was. If you paste the password that was on a leaked file and it scores 0–2 with a sub-second crack time, you should assume the file was crackable and treat it as compromised.
Does Excel Online support password-protected workbooks?
Excel for the web cannot open files encrypted with Encrypt with Password — that's a desktop Excel feature. So the password you're assessing is one applied in desktop Excel. The auditor scores the password regardless of where it was set; the strength of the string is platform-independent.
Is testing the suspect password here safe?
Yes. zxcvbn runs entirely in your browser; the password you paste is scored locally and never transmitted. Checking a possibly-compromised password creates no new network exposure. The only caution is the on-screen display — test where nobody can see your screen.
Why does the auditor's crack time look harsher than other strength checkers?
Because it shows the offline fast-hash scenario, which assumes an attacker with the file and no rate limits. Many checkers display online-attack times (guesses throttled to a few per second), which can make a weak password look like it would take years. For breach assessment, the offline number is the honest one.
What should I do once I confirm a password was weak?
Assume the password and the file are compromised. Build a replacement that audits to Score 4 · centuries, re-encrypt the file in Excel with it, and never reuse the old password anywhere. Where integrity matters, also generate a fresh hash of the re-protected file with the SHA-256 fingerprinter.
Do attackers really guess billions of passwords per second?
Yes, for the right hash. Excel uses a deliberately slow key-derivation (PBKDF2 with many SHA-512 iterations) to push that number down, which is why a strong password matters so much — but commodity GPU rigs and cloud instances still reach enormous guess rates against weak passwords. The auditor's 10-billion/sec model is a reasonable, conservative planning figure.
Could removing hidden data have prevented the leak's impact?
Possibly — many Excel leaks expose more than the visible cells. Even with a strong password, before sharing you should strip hidden sheets, comments, and metadata so a decrypted copy reveals nothing extra. Run the hidden-sheet destroyer and the comment and note purger as part of your hardening.
Is there any way to make the encrypted file recoverable if I forget the strong password?
Not through cracking — a Score 4 · centuries password is, by design, not feasible to brute-force, and JAD offers no recovery. The safe pattern is to store the strong password in a corporate password manager so 'forgot it' never becomes 'lost the file'.
Privacy first
Every JAD Excel tool runs entirely in your browser using SheetJS and ExcelJS. Your spreadsheets, formulas, and data never leave your device — verified by zero outbound network requests during processing.