The encryption in MS Word / Excel uses 32 *bytes* of salt. It's
interesting to me that this is just enough room to store a password 16
unicode characters long, the maximum length password you're allowed.
Just choose the first prime smaller than 2^256, one of say, 1024
multipliers, and modular multiply to get a random-looking salt. Now the
security's 2^10. I've been poking around and haven't found any reason
to believe that this actually happens (40-bit encryption is weak enough
as it is), but I still have to wonder-- why so much salt?
--
Mike Stay
Cryptographer / Programmer
AccessData Corp.
mailto:[EMAIL PROTECTED]
