4 Security Considerations

The password verifier features available in the file format (see section 2.2.9 and section 2.2.10) are used to prevent accidental modification, rather than being used as security features. It is possible to remove the passwords by removing the records containing the verifier values.

The translation of passwords from a double-byte Unicode string to a new character string in the ANSI codepage of the current system converts any Unicode character that cannot be mapped to the ANSI codepage of the current system to the 0x3F character in that codepage ([ISO/IEC29500-1:2016], section 18.2.29). Replacing these characters with 0x3F when the hash is verified will generate positive hash value matches. In certain locales this can be a significant portion of the everyday character set.

Further security considerations regarding the file encryption algorithms (section 2.2.11) are described in [MS-OFFCRYPTO] section 4.1.3.