openoffice-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "F C. Costero" <fjcc.apa...@gmail.com>
Subject Re: OpenOffice passwords: What are we telling users on the forums?
Date Wed, 18 Dec 2013 05:21:15 GMT
Your description of the available password protection options is what is
typically said on the en forum. I don't recall anyone ever suggesting that
users avoid password protection, though I don't read every post.
Best regards,
Francis


On Tue, Dec 17, 2013 at 1:44 PM, Rob Weir <robweir@apache.org> wrote:

> I noticed this note, which I thought was odd:
>
> http://listarchives.libreoffice.org/global/users/msg35699.html
>
> I'm hoping this is just a confusion, but we do need to be careful to
> avoid confusion in this area, since it can cause users to panic.
>
> The facts, as I understand them:
>
> There are two features in OpenOffice (and in LibreOffice and Microsoft
> Office) that users refer to when they talk about passwords:
>
> 1) Password protected encrypted documents
>
> 2) Password protected sections, cells, read-only files, etc.
>
> An encrypted document is as good as your password.  We use good, high
> quality encryption in ODF documents by default.  And we use MS Office
> compatible encryption, which is also good, with Office files.
>
> But in practice most users have far weaker passwords than they should.
>  The context of a password protected file is much more vulnerable than
> a website password.  A typical website will allow you to attempt a log
> in 3 or 5 times before locking you out for an hour or more.  But
> someone who has your encrypted document can attempt to guess the
> password without any such restriction.  They can run sophisticated
> programs, standalone password crackers, with GPU hardware acceleration
> to attempt billions of passwords.  So a casual password of 6
> alphanumeric characters will be quickly broken. So given the context
> users should be using longer, more complex passwords.  Of course, that
> makes it more likely that they will forget the password and show up on
> the forums when they forget.  However you look at it, document-based
> passwords are a 1985 solution to a problem that is better solved today
> in other ways.
>
> As for the protected sections, we should all know that these are
> "honor system" protection mechanisms, essentially child safety locks,
> and offer no real cryptographic protection.  This is true in MS Office
> is well.  The feature is there to help the user define sections that
> they don't want accidentally deleted, but the password protection can
> be trivially defeated in 30 seconds with a text editor and a copy of
> unzip.  This is not a flaw in OpenOffice.  This is not a bug.  This is
> how the feature was designed and has been used in Microsoft Office and
> even 1-2-3 before then.
>
> Hopefully we're telling users something that is consistent with what I
> outlined above.  Of course, it is quite possible that many users will
> not understand this and all they hear is "My password can be broken so
> OpenOffice is bad".
>
> Regards,
>
> -Rob
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
> For additional commands, e-mail: dev-help@openoffice.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message