Re: [libreoffice-users] Re: how to crack a PW in LO?

Steve Edmonds <steve.edmonds -AT- ptglobal.com>
Sun, 21 Oct 2012 11:23:54 +1300

It is interesting how insecure password protection is, and how we forgosecurity for convenience, I recently had to gain access to a Win7machine with lost administrator PW. It was trivial but led me and a workcolleague to rainbow tables, GPU cracking and just how fast a PW can becracked. Our discussions got to slowing things down, double encrypt withdifferent methods (encrypt content with RSA using a hash from a longrandom password) or not allow automated PW entry (capcha with PW entry).Either way it becomes inconvenient and therefore will probably not be used.


Steve

On 2012-10-21 09:30, Dennis E. Hamilton wrote:

Oh, why is (7) considered Good News, below?

Well, it takes 45*365+197 > 16,500 cooperating culprits to crack a 7-character random password in 1 
day.

If that seems too feasible (it might be), try a challenging length, like 16 characters.  Just 
remember the Worse News, (8) in my previous message.

At some point, it is necessary to abandon passwords as reliable for protecting the privacy of 
encrypted documents.  All they do is increase the risk that an ordinary user will lose a password 
and not be able to open one of their own private documents.

  - Dennis


-----Original Message-----
From: Dennis E. Hamilton [mailto:dennis.hamilton@acm.org]
Sent: Saturday, October 20, 2012 13:15
To: 'Sandy Harris'; users@global.libreoffice.org
Subject: RE: [libreoffice-users] Re: how to crack a PW in LO?

[ ... ]

  6. GOOD NEWS #1 (for now): Even allowing for (4-5), the estimates for longer passwords are 
heartening:

        Pwd   Accent OFFICE
     Length   Time Estimate (same conditions)
         <5   27m03s
         <6   1d19h
         <7   173d3h
         <8   45y197d

     You can see why length and random selection from the full 95 ASCII codes matters.  Using 
larger character sets is even better, of course.  I routinely use 15-character randomly-chosen 
passwords that are never used for more than one purpose.

  7. GOOD NEWS #2 (for now): It is possible to crowd-source this work on multiple processors or as 
a challenge with multiple hackers over the internet, where the attack space is subdivided.  
Normally, one would not want to share the document, especially if its decryption is extremely 
valuable.  However, there are parts of encrypted ODF documents that are benign and usable in a 
community/cloud-based attack. Once the password is recovered for that portion, the holder of the 
complete document can decrypt all of it.

[ ... ]



--
For unsubscribe instructions e-mail to: users+help@global.libreoffice.org
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted

Context

RE: [libreoffice-users] Re: how to crack a PW in LO? · Dennis E. Hamilton
- RE: [libreoffice-users] Re: how to crack a PW in LO? · Dennis E. Hamilton
  - Re: [libreoffice-users] Re: how to crack a PW in LO? · Steve Edmonds
    - Re: [libreoffice-users] Re: how to crack a PW in LO? · Tom Davies

Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.