Information Rights Management in Excel

I was poking around the newsgroups last night when I came across a thread about IRM failing in Excel.

A few people seem to be suffering the same problem – within the last two weeks something changed and now their credentials are not accepted by Excel and they are locked out of their files.(here is the link)

My first thought was the Nov security hotfix for 2007 and 2003, but actually the thread is developing more along the lines that something changed at Hotmail (the credential authority).

I have never used IRM

  • a. because I don’t put my Excel machine on the internet
  • b. because fear of being locked out of my own files far outweighs the comfort of knowing other people who might get hold of it will be locked out.

Do you use IRM?

Do you have a fix for the issue these folks are seeing?



8 Responses to “Information Rights Management in Excel”

  1. ross Says:

    I didn’t even know what it was!!!

  2. Abhishek Says:

    This issue of prime importance to me… and i surely hope that microsoft really offer some solution really soon

  3. David Hager Says:

    I doubt that it is a coincidence that this occurred when Office 2010 public beta became available.

  4. Bob Phillips Says:

    It is interesting that on Dick’s blog, this was exactly the fear that Jayson expressed. MS locked him out of his music filkes, now they are locking people out of their files. And people really expect us to post our stuff to the cloud … you would have to be nuts.

  5. Harlan Grove Says:

    This would seem to be a classic no-win for MSFT. It’s already bad that this could happen at all, but IF it could be fixed quickly, then it raises the question whether anyone could crack Excel IRM quickly.

    Absolute worst case would be that there’s some form of encryption involved but the encryption key itself can be corrupted in a random way, which would mean brute force decryption would be the only way to recover these files.

  6. Harlan Grove Says:

    Bob, it’s a questiom whether all clouds would be as poorly managed. It’s also a question whether there’s ever any wisdom trying to embed permissions into files vs putting permissions only into the file systems for the drives on which the files are stored. To me it seems that MSFT just used a flaky approach to permissions.

    There are actually ways to make permissions MORE ROBUST using centralized storage, since it should be possible to include a permission to PREVENT storing files locally. Once users can store files on their own systems and open those files, no amount of internal permissions or passwords would be robust. That is, it wouldn’t take long to reverse engineer a way to bypass permissions. In short, permissions embedded in files aren’t going to be more robust than VBA Project passwords (got a hex editor?) but they’re fragile. The protection/frustration ratio just doesn’t favor permissions-in-files.

  7. Bob Phillips Says:


    I don’t wthink it is a question of techno,logy. It is a question of trust, reliability. Whilst these technologies might be deployed ina benevolent, customer focussed way today, there is no guarantee that they will be in the future (in fact I would say there probably is a guarantee, a gaurantee that they WILL NOT).

    As Jayson said on Dick’s site, he was using MS music downloads with embedded DRM, and when MS decided that didn’t want to be in that market anymore, they pulled the plug and he couldn’t listen tgo the music he had bought (remember AMazon and Kindle?).

    It is similar to the plethora of so-called anti-terrorism laws being effected in western states. We are assured that there are safeguards, that they are aimed at subversives and so on, but we all know that at some point the safeguards will be removed, worked-around, and these laws will be used for other purposes (in my home town, the local council recently used the anti-terroroism laws to spy on a coupl who they believed was pretending they were living in a particular catchment area to get their child into a good school).

    I do not trust the government, I do not trust MS, I do not trust Google, so I will not actively give my data to them.

  8. Simon Says:

    It’s priorities to me.
    I’d much rather someone got hold of all my sensitive data (if I had anything) than me not be able to get into it. And then likelihood and proportionality.

    Do I want to need to sign into a remote 3rd party server to get valid credentials so I can work on my important spreadsheet? no, too many weak points. I’d rather risk that data might get into the wrong hands, minimise that risk by sensible local control, perhaps encryption, whatever, but not remote and not external.

    This is almost ransomware.

    Bob did you read the story of the photographer who was arrested under anti-terrorism laws for being to tall? scary times.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: