openoffice-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hagar Delest <hagar.del...@laposte.net>
Subject Re: OpenOffice passwords: What are we telling users on the forums?
Date Thu, 19 Dec 2013 21:02:30 GMT
Top posting.
For the record, a query about password topics: https://forum.openoffice.org/en/forum/search.php?keywords=password&terms=all&author=&sc=1&sf=all&sr=topics&sk=t&sd=d&st=0&ch=300&t=0&submit=Search

Indeed, we are several users advising to switch from AOO password to 3rd party password (pwd
archive for example).
We have seen some cases of data loss. See:
- https://forum.openoffice.org/en/forum/viewtopic.php?f=7&t=65258
- https://forum.openoffice.org/en/forum/viewtopic.php?f=9&t=55698
- https://forum.openoffice.org/en/forum/viewtopic.php?f=7&t=54816 (not much information,
I agree)
- https://forum.openoffice.org/en/forum/viewtopic.php?f=9&t=10401 (with a fix)

Other issues:
- https://forum.openoffice.org/en/forum/viewtopic.php?f=6&t=49537
- https://forum.openoffice.org/en/forum/viewtopic.php?f=9&t=64901
- https://forum.openoffice.org/en/forum/viewtopic.php?f=9&t=63279
- https://forum.openoffice.org/en/forum/viewtopic.php?f=9&t=54865

I remember some other topics but couldn't find them right now. I confirm that we are talking
about the file encryption and that in most cases, there is no question on the password itself

Hagar


Le 17/12/2013 21:44, Rob Weir a écrit :

> I noticed this note, which I thought was odd:
>
> http://listarchives.libreoffice.org/global/users/msg35699.html
>
> I'm hoping this is just a confusion, but we do need to be careful to
> avoid confusion in this area, since it can cause users to panic.
>
> The facts, as I understand them:
>
> There are two features in OpenOffice (and in LibreOffice and Microsoft
> Office) that users refer to when they talk about passwords:
>
> 1) Password protected encrypted documents
>
> 2) Password protected sections, cells, read-only files, etc.
>
> An encrypted document is as good as your password.  We use good, high
> quality encryption in ODF documents by default.  And we use MS Office
> compatible encryption, which is also good, with Office files.
>
> But in practice most users have far weaker passwords than they should.
>   The context of a password protected file is much more vulnerable than
> a website password.  A typical website will allow you to attempt a log
> in 3 or 5 times before locking you out for an hour or more.  But
> someone who has your encrypted document can attempt to guess the
> password without any such restriction.  They can run sophisticated
> programs, standalone password crackers, with GPU hardware acceleration
> to attempt billions of passwords.  So a casual password of 6
> alphanumeric characters will be quickly broken. So given the context
> users should be using longer, more complex passwords.  Of course, that
> makes it more likely that they will forget the password and show up on
> the forums when they forget.  However you look at it, document-based
> passwords are a 1985 solution to a problem that is better solved today
> in other ways.
>
> As for the protected sections, we should all know that these are
> "honor system" protection mechanisms, essentially child safety locks,
> and offer no real cryptographic protection.  This is true in MS Office
> is well.  The feature is there to help the user define sections that
> they don't want accidentally deleted, but the password protection can
> be trivially defeated in 30 seconds with a text editor and a copy of
> unzip.  This is not a flaw in OpenOffice.  This is not a bug.  This is
> how the feature was designed and has been used in Microsoft Office and
> even 1-2-3 before then.
>
> Hopefully we're telling users something that is consistent with what I
> outlined above.  Of course, it is quite possible that many users will
> not understand this and all they hear is "My password can be broken so
> OpenOffice is bad".
>
> Regards,
>
> -Rob
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
> For additional commands, e-mail: dev-help@openoffice.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org


Mime
View raw message