openoffice-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hagar Delest <>
Subject Re: OpenOffice passwords: What are we telling users on the forums?
Date Thu, 19 Dec 2013 21:02:30 GMT
Top posting.
For the record, a query about password topics:

Indeed, we are several users advising to switch from AOO password to 3rd party password (pwd
archive for example).
We have seen some cases of data loss. See:
- (not much information,
I agree)
- (with a fix)

Other issues:

I remember some other topics but couldn't find them right now. I confirm that we are talking
about the file encryption and that in most cases, there is no question on the password itself


Le 17/12/2013 21:44, Rob Weir a écrit :

> I noticed this note, which I thought was odd:
> I'm hoping this is just a confusion, but we do need to be careful to
> avoid confusion in this area, since it can cause users to panic.
> The facts, as I understand them:
> There are two features in OpenOffice (and in LibreOffice and Microsoft
> Office) that users refer to when they talk about passwords:
> 1) Password protected encrypted documents
> 2) Password protected sections, cells, read-only files, etc.
> An encrypted document is as good as your password.  We use good, high
> quality encryption in ODF documents by default.  And we use MS Office
> compatible encryption, which is also good, with Office files.
> But in practice most users have far weaker passwords than they should.
>   The context of a password protected file is much more vulnerable than
> a website password.  A typical website will allow you to attempt a log
> in 3 or 5 times before locking you out for an hour or more.  But
> someone who has your encrypted document can attempt to guess the
> password without any such restriction.  They can run sophisticated
> programs, standalone password crackers, with GPU hardware acceleration
> to attempt billions of passwords.  So a casual password of 6
> alphanumeric characters will be quickly broken. So given the context
> users should be using longer, more complex passwords.  Of course, that
> makes it more likely that they will forget the password and show up on
> the forums when they forget.  However you look at it, document-based
> passwords are a 1985 solution to a problem that is better solved today
> in other ways.
> As for the protected sections, we should all know that these are
> "honor system" protection mechanisms, essentially child safety locks,
> and offer no real cryptographic protection.  This is true in MS Office
> is well.  The feature is there to help the user define sections that
> they don't want accidentally deleted, but the password protection can
> be trivially defeated in 30 seconds with a text editor and a copy of
> unzip.  This is not a flaw in OpenOffice.  This is not a bug.  This is
> how the feature was designed and has been used in Microsoft Office and
> even 1-2-3 before then.
> Hopefully we're telling users something that is consistent with what I
> outlined above.  Of course, it is quite possible that many users will
> not understand this and all they hear is "My password can be broken so
> OpenOffice is bad".
> Regards,
> -Rob
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message