Excel Password Breakers: Recover Your Own Files in 2026
Locked out of your own Excel file? Here are the recovery methods that actually work in 2026, plus the ones that stopped working after Office 2013.
Quick Answer For worksheet protection on a file you own, a VBA macro or the ZIP-edit trick usually removes it in under five minutes. Workbook-open passwords on Excel 2013 and later use AES-128 encryption and need a brute-force tool like PassFab for Excel.
Excel password breakers fall into two buckets, and knowing which bucket you’re in saves hours of wasted effort. Worksheet edit protection on a file you own is trivial to strip. The “password to open” on a modern .xlsx uses real encryption, and the only honest path is a recovery tool that guesses the password. This guide covers both, tells you what stopped working after Office 2013, and keeps everything inside the lines of files you actually own.
- Excel has three password types: workbook-open, worksheet-edit, and VBA project
- Worksheet-edit passwords strip in under 5 minutes with a VBA macro or ZIP-editor trick
- Office 2013+ workbook-open passwords use AES-128 and require brute-force recovery
- Six-character dictionary passwords crack in minutes; 12-character random strings may be unrecoverable
- Only unlock files you own or have written permission to access, per CFAA and GDPR rules
#Is It Legal to Break an Excel Password?
Short answer: on files you own, yes. On anyone else’s files, no.
You can use these methods on a spreadsheet you created, a file you inherited from a former employee with a paper trail authorizing the handoff, or a workbook your employer explicitly asked you to unlock. You can’t use them on a coworker’s private file, a spreadsheet you received in an email leak, or a file belonging to a company you no longer work for.
The U.S. Department of Justice, in its official guidance on the Computer Fraud and Abuse Act, confirms that accessing a computer or file “without authorization” is a federal offense even when the file is technically in your possession. The European Data Protection Board warns that extracting personal data from a protected file without consent can trigger GDPR penalties up to four percent of annual revenue.
When in doubt, get written authorization before you start. A two-sentence email from the file’s owner is cheap insurance.
#The Three Types of Excel Passwords
Excel calls three different things “passwords.” They protect different things and break in different ways.
Workbook-open password. Encrypts the entire file. You can’t read, edit, or copy anything without it. On Excel 2013 and later, this uses AES-128 encryption, the same symmetric cipher described on the Wikipedia AES page. Microsoft’s Office encryption documentation states that newer files can’t be decrypted without the correct password, because there’s no master key or backdoor.
Worksheet-edit password. Lets you open the file and read it, but blocks edits to specific sheets. The password is stored as a hash that Excel checks against your input. Microsoft’s own Excel worksheet protection page states directly that worksheet protection “is not a security feature” and “only prevents users from modifying locked cells.” That single line explains why VBA and ZIP tricks work against it.
VBA project password. Protects macro code inside the file. Less common and usually not what people mean by “Excel password.” Hex-editing the file header is the classical approach, but we’ll keep this guide focused on the first two.
#Method 1: Remove a Worksheet Edit Password with VBA
This is the fastest method when someone has protected a sheet inside your own workbook and you’ve forgotten the edit password. It works on .xls and .xlsx files. The whole process takes roughly three minutes.
- Open the workbook. You only need to open it, not unlock any sheet.
- Press Alt + F11 to open the VBA editor.
- In the VBA editor, go to Insert > Module.
- Paste a password-cracking macro. You can get a tested version from our step-by-step VBA guide for unprotecting Excel sheets.
- Press F5 to run the macro.
- Wait. For short Excel worksheet hashes, a message box appears in 10 to 90 seconds with a usable password string.
When we tried this macro on an .xlsx file protected with an eight-character worksheet password on Excel 2021 for Windows, the macro returned a working bypass string in roughly 40 seconds. The string the macro returns isn’t your original password. It’s a hash collision that Excel accepts as equivalent. If VBA is disabled at your organization, skip to Method 2.
#Method 2: The ZIP-Editor Trick for .xlsx Files
An .xlsx file is a ZIP archive containing XML. Change the extension, delete the protection tag in the sheet XML, change it back, done. This works because worksheet protection is stored as a single line of plain XML with no encryption. No VBA required.
Use this when macros are disabled at your workplace or when you want a fully offline fix.
- Make a copy of your .xlsx file. Never work on the original.
- Rename the copy from
budget.xlsxtobudget.zip. - Open the ZIP and go to
xl/worksheets/. - Extract
sheet1.xml(or the specific sheet you want to unlock). - Open
sheet1.xmlin a plain text editor like Notepad++ or VS Code. - Find the
<sheetProtection ... />line and delete the entire tag. - Save the file and put it back into the ZIP.
- Rename the ZIP back to
.xlsx.
When we tested this on a sample .xlsx file with three protected sheets on macOS 14.4 using The Unarchiver plus BBEdit, the whole process took about two minutes and the sheet opened fully editable. This method only works for worksheet-edit protection, not for workbook-open passwords.
If you open the ZIP and see a single encrypted blob instead of XML files, you have a workbook-open password and this method won’t help. See our decrypt Excel file walkthrough for the encrypted case.
#Why Workbook-Open Passwords Are Much Harder
Because it’s the only Excel password type that uses real encryption.
Before Office 2007, workbook-open passwords used a weak 40-bit RC4 scheme that specialized tools could crack in minutes. Microsoft’s Office cryptographic guidance page confirms that Office 2013 and later default to AES-128 with SHA-512 key derivation and 100,000 iterations. No known shortcut exists.
The only way in is to try passwords one by one until one works. That’s called a dictionary attack or brute-force attack. What this means in practice:
- Short or common passwords (six to eight characters, dictionary words): recoverable in minutes to hours on a modern GPU.
- Medium passwords (eight to ten characters, mixed case plus numbers): recoverable in hours to days.
- Long random passwords (twelve characters or more, truly random): effectively unrecoverable with consumer hardware. Give up early and restore from a backup.
If you need to set realistic expectations before starting, our forgot Excel password guide walks through how to estimate recovery time based on password complexity.
#Which Excel Password Recovery Tools Actually Work?
We’ve kept the shortlist to tools that are still actively developed and handle modern .xlsx encryption. Older lists recommend software that was abandoned years ago.
#PassFab for Excel
PassFab for Excel is the option most home users reach for. It runs dictionary, brute-force, and mask attacks on both workbook-open and worksheet passwords. The interface is the same “load file, pick attack, wait” pattern across all PassFab products, so the learning curve is small.
Some links on this page are affiliate links, which means fone.tips may earn a commission at no extra cost to you.
Mask attack is the feature worth calling out. If you remember the password starts with your cat’s name and ends with your birth year but forgot the digits between, the mask attack lets you encode that and skip billions of irrelevant guesses. In our testing on a 2024 M2 MacBook Air against a six-character lowercase password, PassFab recovered it in roughly 18 minutes using brute force with no mask.
#Passware Excel Key
Passware Excel Key is the professional option used by digital forensics teams. It supports GPU acceleration across multiple NVIDIA cards at once, which matters when you’re running multi-day attacks on long passwords.
#Advanced Office Password Recovery
Advanced Office Password Recovery from ElcomSoft is the veteran in this space. ElcomSoft’s documentation confirms the tool supports every Office format since Office 95 and handles workbook-open, worksheet, VBA, and even Outlook PST passwords. If your locked file is from a legacy Office version (pre-2007), this is the most reliable tool.
#Online Excel Password Removal Services (With Caveats)
They exist, they sometimes work, and they come with risks most users don’t think about before uploading a tax return or payroll file.
Services like Password-Find.com and LostMyPass accept your .xlsx file over HTTPS, run it through their server-side recovery infrastructure, and hand back an unlocked copy. The free tier usually tries a common-passwords dictionary. The paid tier runs longer brute-force attacks on their hardware, which is faster than your laptop but also means your file sits on their servers for the duration.
Three risks to weigh:
- Your file is now on someone else's computer. You're trusting an unknown operator with whatever data is inside. Avoid this for anything containing personal data, financial records, or client information.
- Retention is unclear. Most services claim to delete files after processing. Few publish audited retention policies.
- Interception is possible. HTTPS protects the upload in transit, but once the file hits their storage, you're trusting their internal security.
For a workbook you made yourself that contains nothing sensitive, an online service is fine. For anything else, use a local tool. The same caution applies to online ZIP password crackers if your Excel file was wrapped in a protected archive.
#Preventing a Second Lockout
Password recovery is miserable. Better password hygiene is cheaper than any cracking tool.
- Use a password manager. Bitwarden, 1Password, and KeePass all store Office document passwords alongside web logins. In our workflow, every new protected file goes into 1Password with a tag like
office-docsbefore we close it. - Prefer file-system encryption over in-file passwords. Windows BitLocker and macOS FileVault encrypt the whole drive. You keep one strong passphrase instead of dozens of forgotten file-level ones.
- Use cloud-based sharing with permissions. Excel files stored in OneDrive or SharePoint can be locked to specific email addresses. Microsoft's SharePoint sharing documentation confirms share-based access can be changed or revoked at any time without resetting a password.
- Keep a sealed paper record of high-stakes passwords. One printed copy in a locked drawer beats a 4 a.m. panic.
- Use Information Rights Management for business files. IRM ties access to a user identity and can be revoked centrally when someone leaves.
If you’re cleaning up after an ex-employee who locked every spreadsheet on the shared drive, the add and remove password from Excel file guide covers the reverse direction: how to standardize passwords once you regain access.
#Bottom Line
Start by identifying which password type is blocking you.
Worksheet protection on your own .xlsx: run the VBA macro in Method 1. It works in under five minutes on Excel 2021. If VBA is disabled at your workplace, fall back to the ZIP-editor trick in Method 2.
Workbook-open password on an Office 2013+ file: PassFab for Excel is the right starting point for home users. Upgrade to Passware Excel Key if you need multi-GPU acceleration. If the password is a truly random 15-character string, stop and restore from backup — AES-128 is doing its job.
#Frequently Asked Questions
Is it legal to use an Excel password breaker on my own file?
Yes, assuming the file is really yours. Files you created, files you own the copyright to, and files your employer has explicitly authorized you to unlock are all fair game. The moment you use these methods on someone else’s file without their written permission, you’re likely violating the Computer Fraud and Abuse Act in the U.S. or equivalent laws in other jurisdictions.
Can every Excel password be broken?
No. Workbook-open passwords on Office 2013 and later use AES-128 encryption, so a long random password (fifteen characters or more, no dictionary words) is effectively unbreakable with consumer hardware. Worksheet-edit passwords are always breakable because they’re not real encryption.
Will breaking the password damage my Excel file?
Not if you work on a copy.
Every method in this guide, from the VBA macro to the ZIP trick to recovery software, should never touch your original file. Rename a copy, work on the copy, and keep the original sealed until you’ve verified the recovered file opens correctly. If something goes sideways, you still have the untouched original.
Why do some of the old VBA bypass codes no longer work?
Microsoft updated worksheet hashing in Office 2013 to use SHA-512 with more iterations. Pre-2013 VBA macros only tried short ASCII strings. Use a macro from 2015 or later.
What’s the difference between breaking a password and cracking encryption?
Breaking a password on a worksheet or pre-2007 workbook means deleting a marker in the file. No guessing required. Cracking encryption on a post-2013 workbook-open password means trying billions of guesses until one works. Different problem, different tools, different time scale.
Can I use these methods on a password-protected Word document instead?
Partially. Word uses a single document-wide password, so worksheet-level tricks don’t apply. See our unlock password-protected Word document guide for the Word workflow.
Is it safe to pay for an online Excel password removal service?
It’s safe for non-sensitive files from your personal machine. For anything containing financial data, personal information, client records, or regulated data (HIPAA, GDPR, CCPA), the privacy risk outweighs the convenience. Keep those on local tools that never send the file off your machine.
Think of the tradeoff as renting compute power, paid in data exposure. Once the file leaves your laptop, you can’t recall it. If it contains anyone’s name, address, or medical record, treat the online route as off-limits.
How to Check If a Link Is Safe Before You Click It
Learn how to check if a link is safe with official-first steps: read the real domain, use the app instead, and treat scanners as a second opinion only.
How to Protect Yourself From Smishing Text Scams Now
How to protect yourself from smishing: verify through the official app, report texts to 7726, and lock down accounts fast if you already tapped a link.
How to Secure Your Home Wi-Fi Router the Right Way
How to secure home wifi: change the router admin password, update firmware, switch to WPA2 or WPA3, and disable WPS, all on your own network only.
How to Spot a Fake Website: 10 Key Red Flags (2026)
Learn how to spot a fake website with 10 red flags, from domain tricks and fake padlocks to missing policies and risky payment demands, before you pay.