How to audit password entropy before applying excel workbook protection
- Step 1Open the auditor — The Excel password-tester redirects to the Password Entropy Auditor at
/security-tools/password-entropy-auditor. There is no file to upload — this tool scores a password string, not a workbook. - Step 2Type or paste your candidate password — Use the single Password field (placeholder
Type or paste a password). The value is displayed in plain text, not masked — fine because nothing leaves your browser, but do it on a screen no one is reading over your shoulder. - Step 3Click Run Password Auditor — zxcvbn analyses the string locally and renders a report card. No network request is made; you can confirm this in your browser's Network tab if you want to verify the privacy claim yourself.
- Step 4Read the Score and crack time — The report shows Score X/4 with its label and the estimated crack time (offline fast hash). Treat
Score 4 · Excellentwith a crack time ofcenturiesas the bar for any file worth encrypting. - Step 5Act on the warning and suggestions — If a
warningappears (e.g.This is a very common password) the password is disqualified regardless of length. Apply the bullet-pointsuggestions— usually 'add another word', 'avoid dates', 'avoid your name' — and re-run. - Step 6Then apply the winning password in Excel — Once you hit
Score 4 · centuries, copy the password into Excel's File → Info → Protect Workbook → Encrypt with Password. This auditor verified the string; Excel applies the AES-256 encryption around it.
What the report card shows you
Every element of the Password Entropy Auditor output, mapped to what it means for an Excel password. The crack-time figure is the one shown in the UI: zxcvbn's offline fast-hash model.
| Report element | Values you can see | What it means for your Excel password |
|---|---|---|
| Score X/4 | 0 Very weak, 1 Weak, 2 Fair, 3 Strong, 4 Excellent | The headline. For an encrypted workbook, aim for 4 Excellent. A 3 Strong is the floor; 2 or below should never protect a file you care about |
| Estimated crack time (offline fast hash) | less than a second → centuries | How long a 10-billion-guess-per-second offline attack would take. This is the realistic threat for a file an attacker has copied off your network or out of an inbox |
| Warning (amber line) | e.g. This is a very common password, This is similar to a commonly used password, or blank | A non-blank warning is a hard fail — the password matched zxcvbn's leaked/common-password lists. Length cannot rescue it; pick a different base |
| Suggestions (bullet list) | e.g. Add another word or two, Avoid dates and years, Capitalization doesn't help much | Concrete edits to raise the score. Follow them and re-run until the warning clears and the score reaches 4 |
Score targets by file sensitivity
A practical mapping from the auditor's score/crack-time to whether a password is fit to encrypt a given Excel file. Crack times are the offline fast-hash figures the tool reports.
| Auditor result | Example password | Fit for encrypting… |
|---|---|---|
Score 0–1 · less than a second | Finance1, P@ssw0rd, Acme2026 | Nothing. Reject outright — these fall instantly to a dictionary attack |
Score 2 · Fair · less than a second | Summer2026!, J0hn.Smith | Nothing sensitive. Looks complex but is built from predictable patterns |
Score 3 · Strong · ~1 second | xK9#mL2vQp (10 random chars) | Low-stakes internal files only; still cracks fast offline because it is short |
Score 4 · Excellent · hours–days | correcthorsebatterystaple (a known phrase), a 16-char random string | Moderately sensitive files — acceptable, but not the strongest. A famous phrase or a short random string scores 4 yet still has finite crack time |
Score 4 · Excellent · centuries | glacier-pencil-vivid-7-quartz (fresh 4-word passphrase) | Anything, including financial models, payroll, and M&A data. This is the target |
Cookbook
Real zxcvbn results for passwords people actually try on Excel files. Every score and crack time below is the genuine auditor output for that exact string — paste them in to reproduce.
The 'looks fine, dies instantly' password
Adding a digit and a year to a word feels secure and satisfies most corporate complexity rules. The auditor exposes it: zxcvbn recognises the word-plus-year pattern and the crack time collapses to under a second.
Password: Finance1 Result: Score 1/4 · Weak Crack time (offline fast hash): less than a second Warning: This is a very common password → Rejected. Complexity rules passed; reality failed.
Symbols don't save a short random string
A 10-character random mix scores 3 (Strong) but the crack time is only about a second under the fast-hash model — because length, not symbol soup, drives entropy. This is the lesson the auditor teaches that Excel's silent dialog never will.
Password: xK9#mL2vQp Result: Score 3/4 · Strong Crack time (offline fast hash): 1 second Warning: (none) → Marginal. Fine for a throwaway file; too short for anything that matters.
A famous passphrase scores 4 — but isn't bulletproof
The classic 'correct horse battery staple' scores 4, yet the auditor still reports only ~8 hours of offline crack time, because zxcvbn now knows that exact phrase. The takeaway: invent your own words, don't reuse a meme.
Password: correcthorsebatterystaple Result: Score 4/4 · Excellent Crack time (offline fast hash): 8 hours Warning: (none) → Score 4, but a known phrase. Use unique words for true 'centuries'.
The gold-standard Excel password
Four uncommon words joined with separators and a digit hits Score 4 with a centuries crack time — the configuration to copy into Excel's Encrypt with Password dialog.
Password: glacier-pencil-vivid-7-quartz Result: Score 4/4 · Excellent Crack time (offline fast hash): centuries Warning: (none) → Apply this in File → Info → Protect Workbook → Encrypt with Password.
Iterating a weak password to a 4
The auditor is built for iteration: paste, read the warning, edit, re-run. Here a weak base climbs to Excellent by following the suggestions, all in a few seconds and entirely in the browser.
Try 1: Acme2026 → Score 2/4 · Fair · less than a second
Try 2: Acme-Ledger-2026 → Score 3/4 · Strong · 3 hours
Try 3: Acme-Ledger-Velvet-Otter-2026
→ Score 4/4 · Excellent · centuries ✓Edge cases and what actually happens
This tool does not open or read your .xlsx file
By designThe auditor scores a password string — it has no file upload and never parses a workbook. You test the candidate password here, then type it into Excel yourself. If you need to act on the file's contents (strip metadata, remove hidden sheets), use the dedicated tools like the hidden-sheet destroyer instead.
It cannot recover or crack a password you've forgotten
Not supportedzxcvbn estimates how long an attack would take; it does not attempt the attack. If you've locked yourself out of an encrypted .xlsx, this tool cannot help — and neither can JAD: AES-256 with a strong password is, by design, unrecoverable. The estimate is a planning aid, not a cracking aid.
Excel accepts the same weak password this tool flags
Excel has no meterExcel's Encrypt with Password dialog applies AES-256 to whatever you type with no strength check. So Finance1 (which scores 1 here) is accepted by Excel and produces a file that is trivially cracked offline. The encryption is strong; the password is the hole. Audit first.
The password field shows the password in plain text
ExpectedThe input is a normal text field (placeholder Type or paste a password), not a masked one. That's intentional so you can verify what you typed, and it's safe because nothing is transmitted — but test in private. The value lives only in your browser tab and is gone on refresh.
A non-blank warning beats any high score
Hard failIf zxcvbn returns a warning like This is a very common password or This is similar to a commonly used password, treat the password as disqualified even if it's long. The string matched a leaked-password pattern, which short-circuits the crack-time math regardless of character count.
Symbol substitution (l33t-speak) barely helps
Low impactSwapping a→@ and o→0 (P@ssw0rd) is one of the first transforms attackers try, so zxcvbn discounts it heavily — P@ssw0rd scores 0. The auditor will usually suggest 'Predictable substitutions like @ for a don't help very much'. Add length and unique words instead.
Crack time shown is the offline fast-hash figure, not the friendliest one
By designzxcvbn computes four crack-time scenarios; the report shows offline_fast_hashing_1e10_per_second (10 billion guesses/sec). That's the correct assumption for an Excel file an attacker can copy and grind on a GPU. The gentler online-throttled numbers would over-flatter your password, so the UI deliberately shows the harsh one.
Pasting a password with trailing whitespace
Scored literallyzxcvbn scores the exact string, including any leading or trailing space you accidentally paste. A trailing space won't meaningfully change the score, but Excel will treat secret and secret as different passwords — so paste cleanly, and remember Excel itself does not trim.
Score 4 with a finite crack time isn't always enough
Read the crack timeScore is a coarse 0–4 bucket. A 16-character random string and a famous passphrase both score 4, but their crack times (12 days, 8 hours) are far short of centuries. For genuinely sensitive Excel files, don't stop at the number 4 — push until the crack time reads centuries.
Sheet protection is not the same as encryption
Different threatExcel's Protect Sheet (the read-only/edit lock) uses a weak legacy hash with no encryption and is bypassed in seconds regardless of password — auditing that password is pointless. This tool is for the Encrypt with Password AES-256 password, which is the one that actually depends on entropy.
Frequently asked questions
Is my password sent anywhere when I test it?
No. The Password Entropy Auditor runs the zxcvbn library entirely in your browser using JavaScript. The string you type into the Password field is scored locally and is never transmitted to any server. You can open your browser's Network tab while you click Run Password Auditor and confirm that no request fires.
Does this tool actually open my Excel file or test it against Excel's encryption?
No. It scores a password string only — there is no file upload. You test the candidate password here, see the score and crack time, and then type the winning password into Excel's Encrypt with Password dialog yourself. The tool measures general password strength, which is what determines whether the AES-256 encryption Excel applies is actually hard to break.
What score should I aim for before protecting an Excel workbook?
Aim for Score 4 · Excellent with an estimated crack time of centuries. Score 3 (Strong) is a bare minimum for low-stakes internal files. Anything scoring 0–2, or anything that triggers a warning line, should never encrypt a file you'd be upset to lose.
Why is the crack time so short even when my password looks complex?
Because the report uses the offline fast-hash threat model (10 billion guesses per second) and because complexity tricks are predictable. Finance1 and Summer2026! look complex but follow word-plus-year and word-plus-symbol patterns that zxcvbn cracks in under a second. Length from multiple uncommon words beats symbol soup every time.
What makes a strong Excel workbook password?
Four or more uncommon, unrelated words — ideally invented or rare, not a famous phrase — joined with separators, reaching roughly 20+ characters. glacier-pencil-vivid-7-quartz scores 4 with a centuries crack time. Avoid dates, names, your company name, and any password you've used elsewhere.
Is a long random string better than a passphrase?
Not necessarily, and the auditor proves it. A 16-character random string can score 4 but report only 12 days of offline crack time, while a fresh 4-word passphrase scores 4 with centuries. Passphrases also win on memorability. Test both candidates in the tool and pick whichever reaches centuries.
Does this work for Excel on Mac, or Google Sheets?
The password score is platform-independent — entropy is entropy. Excel for Mac's Encrypt with Password uses the same AES-256 scheme as Windows, so a strong score helps equally. Google Sheets has no file-level password (it relies on Google account sharing controls), so there's no Excel-style password to audit there.
Why isn't the password field masked with dots?
The field is a plain text input (placeholder Type or paste a password) so you can see exactly what you typed and verify there are no typos before you commit it to a file. Since nothing is transmitted, the only exposure risk is someone physically watching your screen — so test somewhere private.
What is zxcvbn and why trust it?
zxcvbn is an open-source password-strength estimator originally built at Dropbox. Instead of counting character classes, it matches against dictionaries, common passwords, keyboard patterns, dates, and l33t-speak substitutions, then estimates guesses-to-crack. It's widely used precisely because it reflects how real attackers guess passwords rather than rewarding superficial complexity.
Can I use this to audit a password I'll reuse across several files?
You can score the candidate here, but reuse itself is the bigger risk: if one encrypted file leaks and the password is cracked, every other file sharing it is exposed. Use a unique strong password per sensitive workbook, and consider hashing distributed files with the SHA-256 fingerprinter so recipients can verify they weren't tampered with.
Does adding the password to Excel change anything about the strength?
No — Excel applies AES-256 around the exact string you give it. The auditor's score for that string is the score Excel inherits. There's no extra strengthening or weakening step; the password you tested is the password that protects the file.
What else should I clean before encrypting and sharing a workbook?
A strong password protects the file's contents, but metadata can leak even from an encrypted file's surroundings or once it's decrypted. Consider running the application-metadata wiper, the comment and note purger, and the hidden-sheet destroyer on the workbook before you encrypt and distribute it.
Privacy first
Every JAD Excel tool runs entirely in your browser using SheetJS and ExcelJS. Your spreadsheets, formulas, and data never leave your device — verified by zero outbound network requests during processing.