it seems like the default behavior for saving a .XLS file even in modern versions of Excel is compatible with Excel 97 – 2003
That is the default behaviour if the user selects .XLS.
The cryptography is downgraded to RC4 if the user selects the .XLS format and they’re not warned about the legacy encryption which will be used.
So, assuming a non-expert non-cryptography-setting-tweaking user, it’s still a fairly safe assumption that a .XLS file if password protected is protected with the old weak form of Office crypto – right?
Generally speaking, yes. Some workplaces manually force the Crypto Providers through group policy to comply with FIPS etc. If this the case then all bets are off.
If the file is saved in .XSLX-format, it’s also a fair assumption to make that it is saved as AES-128, once again assuming the non-tweaking user
Yes. Also .XSLX is the default format now for Microsoft Excel and the majority of spreadsheets I’ve seen in the last decade have been .XSLX.
Here’s some more information that may help the original poster if he’s forgotten his password, and for you as a background reference,
Their software can be purchased to crack some passwords instantly, remove editing passwords, crack opening passwords, use mask attacks, rainbow tables or brute force against Microsoft Office. It’s extremely slow for short passwords from 2013 onwards but from 2007 it might help for short passwords but it’s useless if they’ve got a long password set.
Each version has successively got more secure – look at the difference!
- 2010 – 24,500 passwords per second
- 2016 – 3,220 passwords per second
You can accelerate some of the older versions, or modern versions, via distributed computing using their software but it’s not worth it and there’s little chance of success.