2.2.9 Password Verifier Algorithm
Several records (Password (section 2.4.191), FileSharing (section 2.4.118), Prot4RevPass (section 2.4.206), FeatProtection (section 2.5.124), and FilePass (section 2.4.117)) use a password verifier to provide a locking and unlocking system for viewing or editing parts of the workbook. This password verifier is used to prevent accidental editing, and is not designed to be used as a security feature. The verifier value is calculated in two stages. First, the provided Unicode password string is converted to a new character string in the American National Standards Institute (ANSI) character set code page of the current system using the algorithm specified in the revisionsPassword attribute in [ECMA-376] part 4, 3.2.29. Second, this string is input into the XOR obfuscation algorithm specified in [MS-OFFCRYPTO], 2.3.7.1, Binary Document Password Verifier Derivation Method 1 to produce a 16-bit password verifier value.
See the Security Considerations section for information about security concerns related to the use of this algorithm for password verification in this file format.<19>