Remove Excel Password Protection: The Complete 2026 Guide to Unlocking Encrypted Workbooks, Sheets, and VBA Projects Safely

If you need to remove Excel encryption from a spreadsheet you legitimately own, you are not alone. Millions of professionals inherit password-protected files from former colleagues, archived projects, or merged departments, and the original password is nowhere to be found. Whether the lock sits on the entire workbook, a single worksheet, a shared workbook, or a hidden VBA project, Excel offers several official paths to remove that protection — and a handful of recovery techniques when the password is genuinely lost.

The terminology matters more than most people realize. Excel uses three distinct security layers: file-open encryption (which scrambles the entire .xlsx binary), workbook structure protection (which prevents adding, deleting, or hiding sheets), and worksheet protection (which locks individual cells from editing). Each layer uses a different algorithm, a different removal procedure, and a different difficulty level if you forgot the password. Confusing them leads to wasted hours.

Modern Excel — specifically Excel 2016, 2019, 2021, and Microsoft 365 — uses AES-256 encryption with SHA-512 hashing for file-open passwords. That is genuinely strong cryptography. If you know the password, removal takes ten seconds. If you do not know the password and the file uses modern encryption, brute-force recovery may take years on consumer hardware. Older .xls files (Excel 97-2003) use weaker 40-bit RC4 encryption, which specialized tools can crack in minutes regardless of password complexity.

This guide walks through every legitimate scenario step by step. We cover removing passwords when you know them, recovering lost passwords on older formats, unlocking sheet protection when only structural locks exist, and clearing VBA project passwords using the XML manipulation method that works on any modern .xlsm file. We also address the ethical and legal boundaries you should respect before attempting any of these procedures on files you did not author.

Before you start, ask yourself three questions. Do you have explicit ownership or written authorization to access this file? Is the file format .xlsx, .xlsm, or the legacy .xls? Do you remember the password, or are you attempting recovery? Your answers determine which section below applies. Skipping ahead to the wrong method wastes time and can corrupt the file beyond repair if you edit binary contents incorrectly.

For readers who want to sharpen their broader Excel skills while solving security puzzles, the Excel Functions List reference pairs well with this guide. Mastering protection settings becomes much easier once you understand how Excel actually stores formulas, named ranges, and conditional formatting under the hood. The same XML structure that holds your VLOOKUP formulas also holds the protection flags we will manipulate later.

Finally, set realistic expectations. No legitimate guide can promise to crack a modern AES-256 encrypted workbook with a strong password. Anyone claiming a free, instant unlock tool for current Excel files is either lying, distributing malware, or relying on the fact that most users choose weak passwords. The methods below work because of either known credentials, weak legacy encryption, or removable non-encryption protection layers. Set those expectations now and you will avoid frustration later.

Removing file-open encryption when you know the password is the simplest scenario in Excel security. Open the workbook normally and enter the password at the prompt. Once the file is open, navigate to File, then Info, then click Protect Workbook. Choose Encrypt with Password from the dropdown menu. A dialog appears showing dots representing the current password. Clear the field completely, leaving it blank, and click OK. Save the file with Ctrl+S. The next time anyone opens that workbook, no password will be requested.

This same workflow applies whether you originally encrypted the file in Excel 2016, 2019, 2021, or Microsoft 365. The interface is virtually identical across versions. The only meaningful difference is that older Excel 2010 files may have used AES-128 instead of AES-256, but removal is identical because Excel handles the algorithm internally. After saving, verify by closing the workbook and reopening it from File Explorer — no prompt should appear.

If you are working with a .xls file from Excel 97-2003, the procedure differs slightly. These older files use the Tools menu inside the Save As dialog, under General Options. Clear the password field there. Better yet, save the file as .xlsx during the same operation to migrate to a modern format. Legacy .xls files are notoriously vulnerable to password recovery tools because their 40-bit RC4 encryption was deliberately weakened to comply with 1990s US export restrictions on cryptography.

For workbooks that contain financial models, consider reviewing the Excel Finance Functions Guide With PMT, NPV, IRR and Loan Models after unlocking. Many encrypted spreadsheets hide complex formula structures that benefit from a refresher on PMT, NPV, and IRR before you start modifying them. Removing protection without understanding the underlying model can lead to accidental formula breakage that is difficult to debug later.

A critical detail many users miss: removing the password does not change the file format. The file remains encrypted on disk until you actually save it. If you simply close the workbook after clearing the password without saving, the next open will still require the original password. Always confirm the save completed and the file size changed slightly, indicating Excel rewrote the binary without encryption headers.

For files stored on OneDrive, SharePoint, or Microsoft Teams, an additional layer exists. The cloud service may enforce its own access controls independent of Excel's password. Removing the Excel-level password does not affect SharePoint permissions. If colleagues still cannot open the file after you remove the password, check the cloud sharing settings separately through the web portal.

Batch removal across many files is possible through PowerShell automation. The Microsoft.Office.Interop.Excel COM object lets you script the open-decrypt-save cycle across hundreds of files in minutes, provided you know each password. This is the standard approach when migrating a department from a defunct password manager to a new credential system, or when consolidating archived files before a corporate audit.

Recovering a genuinely forgotten password is dramatically more difficult than removing a known one. For modern .xlsx and .xlsm files using AES-256 encryption, no shortcut exists. The only mathematical attacks are brute force (trying every possible character combination) and dictionary attack (trying common passwords and variants). On consumer hardware, AES-256 with 100,000 SHA-512 iterations means an 8-character random password could take centuries to crack. A weak password like a child's name plus birth year might fall in hours.

For legacy .xls files from Excel 97-2003, the situation reverses entirely. These files used 40-bit RC4 encryption, deliberately weakened in the 1990s to comply with US export controls. Modern tools can decrypt any .xls file by computing the entire 40-bit key space, regardless of password complexity. The process typically takes minutes on a modern CPU. This is why migrating old .xls files to .xlsx is itself a meaningful security upgrade even if you keep the same password.

Commercial recovery tools fall into three categories. Reputable forensic software like Passware Kit and Elcomsoft Advanced Office Password Recovery uses GPU acceleration and rainbow tables to attack legacy files efficiently. These cost $100 to $500 and target legitimate IT and forensic professionals. Open-source tools like John the Ripper and Hashcat can also process Excel hashes when extracted properly. Free online services promising instant decryption of modern files are almost always scams or malware.

Worksheet and workbook structure protection are a different story. Both store passwords as 16-bit hashes inside the XML, which means thousands of different passwords produce the same hash. Recovery tools do not need to find your original password — they only need to find any password that produces the same hash. This typically takes seconds. That is why the XML deletion method described earlier works so reliably for these protection types.

For VBA project passwords, the hex editor method works because the password verification happens client-side in the VBA editor itself. By corrupting the DPB signature, you trick Excel into treating the project as having invalid protection, prompting it to clear the lock entirely. This does not decrypt anything because VBA project passwords never encrypted the code to begin with — they only hid it from the editor view.

Always consider the ethical dimension. Even when technically capable of unlocking a file, doing so on a document you do not own may violate the Computer Fraud and Abuse Act in the United States, the Computer Misuse Act in the UK, and similar legislation worldwide. Employer-owned files generally fall within authorized use if you have legitimate business need, but consult your IT security policy first. When in doubt, escalate to your information security team rather than attempting recovery yourself.

Document everything. If you successfully recover access to an important business file, create a written record of what method you used, what date, who authorized it, and what the new credential management approach will be. This protects you during future audits and ensures the same emergency does not happen twice. Many organizations now mandate that all Excel files containing regulated data be stored in SharePoint with platform-level access control rather than file-level passwords.

Best practices for handling Excel encryption start with prevention. Use a dedicated password manager like 1Password, Bitwarden, or your enterprise solution to store every Excel password the moment you set it. Tag each entry with the file path, the business owner, and the date of last rotation. This single discipline prevents 90% of the lost-password emergencies that bring users to guides like this one. Free password managers exist for individual use and integrate with browser autofill on Windows and macOS.

For shared team files, abandon file-level passwords entirely in favor of platform access control. SharePoint, Google Drive for Business, Box, and Dropbox Business all provide per-user permissions, audit logging, and centralized revocation when employees leave. This approach scales infinitely better than passing around a shared password that nobody remembers to rotate. The Excel Merge Tables guide demonstrates several workflows that work better in cloud-shared environments where access is managed centrally rather than through file passwords.

When file-level encryption is genuinely required — for example, when sending sensitive data via email — use strong passwords. A 14-character random string from a password manager provides effectively unbreakable AES-256 protection. Avoid dictionary words, names, dates, and patterns like keyboard walks. Send the password through a different channel than the file: text the password while emailing the file, or use a secure password-sharing service that auto-expires after one read.

Consider modern alternatives to Excel passwords for sensitive data. Microsoft Information Protection labels apply encryption automatically based on document classification, with keys managed centrally by IT. Azure Rights Management persists protection even when files leave your network. These platforms also support time-limited access, watermarking, and revocation after the file has been distributed — capabilities impossible with traditional Excel passwords.

For VBA-heavy workbooks, recognize that VBA project passwords provide essentially zero security against motivated attackers. Anyone with five minutes and a hex editor can clear them. If your macros contain truly proprietary intellectual property, consider compiling the logic into a COM add-in (DLL) or office add-in (JavaScript) where the source code never travels with the workbook. Distribute the add-in separately with proper licensing controls.

Establish a regular audit cycle for password-protected files. Quarterly, run a PowerShell script that scans your file shares for encrypted Excel files and produces a report of file paths, last modified dates, and known owners. Files with no clear owner become candidates for cleanup. This prevents the long tail of orphaned encrypted files that accumulate over years and create security and compliance liabilities.

Finally, train your team. Most lost-password incidents trace back to a single person who set encryption without telling anyone the password or documenting it in the team's shared credential vault. A 30-minute training session covering password policies, the team password manager, and the escalation path for forgotten passwords pays for itself the first time it prevents a multi-day recovery operation. Make the training mandatory for anyone handling financial models or regulated data.

Practical implementation tips can save hours of frustration. When manipulating .xlsx files as ZIP archives, always use a real archiver like 7-Zip rather than Windows Explorer's built-in ZIP handling. Windows often corrupts the archive structure when re-zipping, leading to files that Excel refuses to open with cryptic error messages. 7-Zip preserves the internal directory structure correctly and handles the slight variations in ZIP metadata that Excel's parser is picky about.

Keep a clean working directory for unlock operations. Create a folder named something like ExcelUnlock with subfolders for Original, Working, and Output. Always copy the encrypted file to Working before modification, never touch the Original copy, and save successful unlocks to Output. This three-folder discipline saves you when a hex edit goes wrong on attempt three and you need to start over from the pristine original.

For batch operations, PowerShell is your friend. A simple script using the Excel COM object can open, decrypt, save, and close hundreds of files in sequence. Add error handling so a single failed file does not halt the entire run. Log every operation to a CSV file with the source path, target path, success status, and timestamp. This audit trail becomes invaluable when explaining the operation to auditors or compliance officers later.

When working with files containing external data connections, removing encryption may trigger refresh prompts on the next open. Decide in advance whether you want the unlocked file to refresh from source or freeze the current values. Use Data, Queries and Connections, and edit each connection's properties to disable automatic refresh if you want point-in-time data preservation. This matters for historical archives where data sources may no longer exist.

Validate every unlocked file before declaring success. Open it, verify all sheets are present, spot-check formulas in three random cells, and confirm that named ranges still resolve correctly. Sometimes the unlock process subtly damages the file structure even when Excel opens it without error. Save the validated file with a new name and date stamp so you can distinguish verified unlocks from raw outputs.

If you encounter a file that resists every standard method, the file may be corrupted, may use a non-standard encryption library from a third-party tool, or may have been created by an alternate spreadsheet program like LibreOffice with incompatible protection. Try opening the file in LibreOffice Calc, which sometimes handles edge cases differently than Excel and may bypass protection that Excel enforces strictly. Save as a fresh .xlsx from LibreOffice and try again.

For ongoing security hygiene after a successful unlock, immediately apply your team's new protection strategy. That may mean re-encrypting with a documented password, moving to SharePoint with platform permissions, or applying an Information Protection label. Never leave a sensitive file unprotected after the unlock operation completes — the convenience of open access for ten minutes is not worth the risk of accidental exposure if the file gets attached to the wrong email or synced to the wrong cloud folder.