Enhance Worksheet and Workbook Password Protection Mechanism in Spreadsheet Scheduled

Currently, in our Spreadsheet component, when a worksheet or workbook is protected using a password, the password is stored in plain text within the Sheet Model and the Spreadsheet instance. As a result:

• The protected password can be directly retrieved from the model.
• The password is exposed when the Spreadsheet state is saved or exported as JSON.

This behavior introduces security vulnerabilities, as sensitive password information can be easily accessed by end users.

Storing worksheet and workbook passwords in plain text leads to the following concerns:

• Direct visibility of passwords in the Sheet Model and Spreadsheet instance
• Exposure of passwords during client-side serialization (e.g., Save as JSON)
• Risk of unauthorized access and misuse of protected content

This approach does not match the protection behavior followed by Microsoft Excel.

To enhance security and align with Microsoft Excel’s password protection behavior, the following improvement is proposed:

• Avoid storing passwords directly in the Spreadsheet model or instance.
• Instead, generate and store an encrypted hash value and salt value for worksheet and workbook protection.
• Use these values only for password validation during protect and unprotect operations.

While implementing the encrypted password protection mechanism, it is critical to ensure that:

• When the Spreadsheet is exported as an Excel (.xlsx) file, the protected worksheets and workbooks remain fully compatible with Microsoft Excel and vice-versa while importing in Spreadsheet.
• Users should be able to successfully unprotect the sheet or workbook in Excel using the original password they provided.