Date: prev next · Thread: first prev next last
2012 Archives by date, by thread · List index


On 10/19/2012 07:32 PM, anne-ology wrote:
        For the sake of safety, hopefully these are merely fancy advertising
schemes  ;-)

        BUT judging by the number of hackers able to steal data in recent
years, these programs may be working  ;-(

        To be conned or not to be conned by these criminal types, seems to
boil down to using common sense -
            something folks once acquired and used; today common sense seems
to have died  ;-(

I have seen many lists of the most common passwords such as password, abc123, qwerty, and the like. Plus many reuse their passwords on several sites so a hacker gets several sites at once.

On Tue, Oct 16, 2012 at 9:07 PM, rost52 <bugquestcontri@online.de> wrote:

Dennis,
When I am reading your long and excellent explanation, I wonder again how
some PW removing tools, which offer a demo with opening the file or showing
the PW removed, can claim that the file could be open within a few seconds
to a minute?



On 16.10.2012 23:34, Dennis E. Hamilton wrote:

It is important to separate the use of passwords to set
protections from use of a password to encrypt the document.

Only "Save with Password" provides cryptographic security
of the document.

The "Save with Password" encryption is difficult to attack.
The password is usually the weakest point and the password
may fall to a variety of attacks that use pre-computed
dictionaries of SHA1 digests and other brute-force
techniques.  It is also possible that an attack may break
the encryption without discovering the password itself.
All of these attacks are believed to required great effort.
In general, one should expect that a password used in
"Save with Password" is not discoverable unless it is
carelessly chosen or heavily reused.

The harder the password is to attack, the harder it is
to recover, of course.

In contrast, all of the protection settings are insecure.

The protections are trivial to remove.  It can be done
by any knowledgeable user with a Zip utility and an XML
editor.  It is not necessary to know the password to
remove the protection.  However, all passwords used in
making protection settings should be considered compromised.
That is because the document stores an SHA1 or other unsalted
   hash in "plain view" in the document.  These hashes are
cracked with ease using conventional systems.  A password
used to set a protection should not be used for any
more-private purpose.  In particular, if the same passwords
   are used for protections on unencrypted documents and for
saving with password (encryption), the encryption can be
broken directly using the SHA1 digest from the protection
setting.

Protection settings are on spreadsheet fields and sheets.
There are protection settings on text as well.  The
protection against altering change-tracking and the
protection for keeping a document read-only are all of
this kind.  The protection is useful for avoiding mistaken
   alterations.

It is easy for all of these protections to be removed, the
document altered, and the protections restored with the
very same unlocking password without ever having to
know the password.

A digital signature can prevent the document from undetected
alterations, but that doesn't work for turnaround documents
where some alterations are meant to be allowed.

There is more explanation of the use and risk of protections,
and their removal, here:
<https://tools.oasis-open.org/**version-control/svn/oic/**
Advisories/00009-**ProtectionKeySafety/trunk/**description.html<https://tools.oasis-open.org/version-control/svn/oic/Advisories/00009-ProtectionKeySafety/trunk/description.html>
A proposal for more-reliable security of protection passwords
(but not the protections themselves) is before the
OASIS ODF TC:
<https://www.oasis-open.org/**committees/document.php?**document_id=46220<https://www.oasis-open.org/committees/document.php?document_id=46220>
.
   - Dennis


-----Original Message-----
From: Dr. R. O Stapf [mailto:reinhold@stapf-online.**com<reinhold@stapf-online.com>
]
Sent: Tuesday, October 16, 2012 06:30
To: users@global.libreoffice.org
Subject: Re: [libreoffice-users] Re: how to crack a PW in LO?

you are perfectly right about this!!!


On 16.10.2012 22:22, Andrew Douglas Pitonyak wrote:

Unless you have a lot of time to kill (days, weeks, months, etc), you
are much better off not
forgetting your password.




--
Jay Lozier
jslozier@gmail.com


--
For unsubscribe instructions e-mail to: users+help@global.libreoffice.org
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted

Context


Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.