How to Encrypt Excel Spreadsheets with Password (And Why It’s Not Enough)

Excel is the backbone of modern business operations, housing everything from payroll data to M&A valuation models. However, its ubiquity also makes it a primary target for data leaks. Learning how to encrypt excel spreadsheets with password protection is a fundamental skill for any professional, but it is often just the first step in a much larger security picture.

While applying a password seems secure, reliance on manual file protection is prone to failure. According to the Verizon Data Breach Investigations Report (2024), human error accounts for 68% of data breaches. This often happens not because the encryption failed, but because a user attached a password-protected file to an email and sent the password in a follow-up message.

Furthermore, relying on locally stored, password-locked files contributes to “Shadow IT”—unmanaged data that sits outside your IT department’s control. Gartner and Omdia estimate that this unmanaged software represents 30-50% of an organization’s total computing, creating visibility gaps that leave businesses vulnerable.

The Critical Distinction: “Protect Sheet” vs. “Encrypt Workbook”

One of the most dangerous misconceptions in document security is confusing “locking” a spreadsheet with “encrypting” it. If you believe locking your cells prevents data theft, your files are likely exposed right now.

“Protect Sheet” is not security. This feature is designed for user interface control, not data privacy. It prevents a user from accidentally deleting a formula or overwriting a cell. It does not scramble the data. If you use this feature, the data remains in plain text within the file’s XML structure.

As Microsoft Support documentation explicitly warns: “Worksheet-level protection is not a security feature… It offers zero protection against a determined attacker.”

“Encrypt Workbook” is security. When you choose to encrypt the workbook, modern Excel versions (2016 and later) use AES-256 encryption. This mathematically scrambles the underlying data so that it cannot be read without the decryption key (your password).

Real-World Scenario: The “Phantom” Employee Payroll Leak

Consider Mark, an HR consultant. He managed a “master payroll” file for a client, using Excel’s “Protect Sheet” feature to lock the columns containing Social Security numbers so they couldn’t be edited. He assumed the data was safe.

When his laptop was stolen, thieves didn’t need to guess a password. They simply opened the file in a third-party spreadsheet viewer that ignored the “locked cells” flag. Because the file wasn’t encrypted, the thieves accessed the salary data and SSNs of 140 employees. This breach, caused by a misunderstanding of file protection, led to a class-action lawsuit.

For a deeper dive into preventing these types of leaks, read our guide on Data Loss Prevention (DLP) Basics.

Step-by-Step: How to Encrypt Excel Spreadsheets with a Password

If you need to secure a file immediately, here is the correct way to apply AES-256 encryption to your workbook.

For Windows Users

1. Open your Excel file.
2. Click on the File tab in the top left corner.
3. Select Info.
4. Click the Protect Workbook box.
5. Select Encrypt with Password from the dropdown menu.
6. Enter a strong password and click OK.
7. Re-enter the password to confirm and click OK.
8. Save the file.

For Mac OS Users

1. Go to the Review tab in the ribbon.
2. Click Protect Workbook.
3. Enter a password in the “Password to open” field.
4. Click OK and save the file.

How to Remove the Password

If you need to decrypt the file later:

1. Go back to File > Info > Protect Workbook > Encrypt with Password.
2. Delete the black dots in the password field so it is blank.
3. Click OK and save the file.

Warning: There is no “Forgot Password” button. Unlike online accounts, Excel files do not have a recovery mechanism. If you lose the password to a modern .xlsx file, the data is gone. While older .xls files could be cracked easily, modern AES-256 encryption makes brute-force attacks the only option, which is often impossible for strong passwords.

Why Native Excel Encryption Fails Modern Compliance

You have encrypted the file, but have you actually secured the data workflow? For industries like healthcare and finance, native Excel encryption often falls short of compliance requirements.

The Transfer Problem

The encryption is only as strong as the way you share the password.

Take the case of “The M&A Deal Breaker.” Sarah, a junior analyst, prepared a valuation model for a merger. She followed protocol and encrypted the Excel file. However, she then emailed the file to the client and, in a lapse of judgment, sent the password in the very next email. A hacker monitoring the client’s inbox intercepted both. The leak of confidential merger details caused the acquisition to collapse. The vulnerability wasn’t the math; it was the process.

The Audit Trail Gap

Even if your files are encrypted, you must be able to prove it to regulators.

Dr. Aris, a private practice therapist, stored patient notes on a password-protected USB drive. When he lost the drive, he faced a HIPAA audit. The problem? He couldn’t prove the files were encrypted with a compliant standard (AES-256) rather than weak, older encryption.

According to the IBM Cost of a Data Breach Report (2024), healthcare data breaches are the costliest, averaging $9.77 million per incident. Because Dr. Aris lacked an audit trail or “safe harbor” proof, he faced significant fines that nearly bankrupted his practice.

No Revocation

Once you email a password-protected spreadsheet, you lose control. If the recipient leaves their company or their laptop is stolen, that file remains accessible to anyone who has the password. You cannot remotely “detonate” or revoke access to a local Excel file.

The Hidden Cost of Excel “Shadow IT”

Spreadsheets are often described as the “original Shadow IT.” They are files created by employees that exist outside the central management of the IT department.

As Chris Mixter, VP Analyst at Gartner, notes: “You can’t protect what you can’t see.”

When thousands of password-protected files are scattered across local hard drives and personal cloud accounts, the organization faces two major risks:

1. Data Integrity: According to the European Spreadsheet Risks Interest Group (EuSpRIG, 2023), approximately 90% of corporate spreadsheets contain material errors. When files are locked and siloed, they cannot be peer-reviewed or validated.
2. Management Blind Spots: IT administrators cannot back up these files, scan them for viruses, or manage access rights. If an employee leaves, the data in those password-protected files often leaves with them or becomes permanently inaccessible.

A More Secure Alternative to Excel Passwords

While Excel’s native encryption is better than nothing, modern businesses need tools designed for the way we actually work. sekura.app offers a secure layer that fixes the flaws inherent in spreadsheet password protection.

Here is how the approaches compare:

Feature	Excel Password	sekura.app
Access Control	Shared static password (insecure)	Identity verification (no shared secrets)
Revocation	Impossible once sent	Instant revocation at any time
Audit Trail	None	Full logs of who opened files and when
File Size	Large encrypted files often crash	Optimized for large datasets

Compliance and “Safe Harbor”

For professionals like Dr. Aris, sekura.app provides the necessary proof for auditors. Because every encryption event and access attempt is logged, you have a defensible audit trail that proves your data remained secure, even if a device is lost.

Handling Heavy Data

Financial analysts often find that password-protecting massive .xlsx models makes them unstable or slow to open. sekura.app encrypts the file container itself, allowing you to secure gigabytes of data without corrupting the delicate XML structure of the spreadsheet.

Learn more about protecting sensitive financial data in our guide to Secure File Transfer for Financial Services.

Frequently Asked Questions (FAQ)

Can I password protect just one column so nobody can see it? No. Excel does not support column-level encryption. You can hide a column and protect the sheet, but as mentioned earlier, this does not encrypt the data. Anyone with basic technical skills can unhide it or read the XML data directly.

Is Excel’s built-in encryption GDPR compliant? Technically, the AES-256 algorithm used by modern Excel is compliant. However, the process of sharing these files often violates GDPR principles regarding data governance, specifically the lack of audit trails and the inability to ensure the “right to be forgotten” (revocation) once a file is sent.

Can I recover a lost Excel password? Officially, no. Microsoft does not provide a backdoor. Be very careful with “VBA cracking scripts” found online. These often contain malware and typically only work on “Protect Sheet” passwords, not “Encrypt Workbook” passwords.

Why can people still see my data after I protected the sheet? “Protect Sheet” is a UI lock, not a data lock. The text is still readable within the file’s code. To prevent viewing, you must use the “Encrypt with Password” feature detailed in the steps above.

Conclusion

Knowing how to encrypt Excel spreadsheets with a password is a necessary hygiene step for personal files, but it is not a sufficient strategy for enterprise security. The risks of lost passwords, lack of audit trails, and human error during transfer are simply too high.

As counter-terrorism expert Richard Clarke famously said, “If you spend more on coffee than on IT security, you will be hacked.”

Don’t rely on shared passwords to protect your organization’s most critical data. Start using sekura.app today for file sharing that is auditable, revocable, and truly secure.

Download sekura.app Now