just shows lack of common sense.
On Fri, Oct 19, 2012 at 6:56 PM, Jay Lozier <jsloz...@gmail.com> wrote: On 10/19/2012 07:32 PM, anne-ology wrote: > >> For the sake of safety, hopefully these are merely fancy >> advertising >> schemes ;-) >> >> BUT judging by the number of hackers able to steal data in recent >> years, these programs may be working ;-( >> >> To be conned or not to be conned by these criminal types, seems to >> boil down to using common sense - >> something folks once acquired and used; today common sense >> seems >> to have died ;-( >> >> I have seen many lists of the most common passwords such as password, > abc123, qwerty, and the like. Plus many reuse their passwords on several > sites so a hacker gets several sites at once. > >> >> On Tue, Oct 16, 2012 at 9:07 PM, rost52 <bugquestcon...@online.de> wrote: >> >> Dennis, >> >>> When I am reading your long and excellent explanation, I wonder again how >>> some PW removing tools, which offer a demo with opening the file or >>> showing >>> the PW removed, can claim that the file could be open within a few >>> seconds >>> to a minute? >>> >>> >>> >>> On 16.10.2012 23:34, Dennis E. Hamilton wrote: >>> >>> It is important to separate the use of passwords to set >>>> protections from use of a password to encrypt the document. >>>> >>>> Only "Save with Password" provides cryptographic security >>>> of the document. >>>> >>>> The "Save with Password" encryption is difficult to attack. >>>> The password is usually the weakest point and the password >>>> may fall to a variety of attacks that use pre-computed >>>> dictionaries of SHA1 digests and other brute-force >>>> techniques. It is also possible that an attack may break >>>> the encryption without discovering the password itself. >>>> All of these attacks are believed to required great effort. >>>> In general, one should expect that a password used in >>>> "Save with Password" is not discoverable unless it is >>>> carelessly chosen or heavily reused. >>>> >>>> The harder the password is to attack, the harder it is >>>> to recover, of course. >>>> >>>> In contrast, all of the protection settings are insecure. >>>> >>>> The protections are trivial to remove. It can be done >>>> by any knowledgeable user with a Zip utility and an XML >>>> editor. It is not necessary to know the password to >>>> remove the protection. However, all passwords used in >>>> making protection settings should be considered compromised. >>>> That is because the document stores an SHA1 or other unsalted >>>> hash in "plain view" in the document. These hashes are >>>> cracked with ease using conventional systems. A password >>>> used to set a protection should not be used for any >>>> more-private purpose. In particular, if the same passwords >>>> are used for protections on unencrypted documents and for >>>> saving with password (encryption), the encryption can be >>>> broken directly using the SHA1 digest from the protection >>>> setting. >>>> >>>> Protection settings are on spreadsheet fields and sheets. >>>> There are protection settings on text as well. The >>>> protection against altering change-tracking and the >>>> protection for keeping a document read-only are all of >>>> this kind. The protection is useful for avoiding mistaken >>>> alterations. >>>> >>>> It is easy for all of these protections to be removed, the >>>> document altered, and the protections restored with the >>>> very same unlocking password without ever having to >>>> know the password. >>>> >>>> A digital signature can prevent the document from undetected >>>> alterations, but that doesn't work for turnaround documents >>>> where some alterations are meant to be allowed. >>>> >>>> There is more explanation of the use and risk of protections, >>>> and their removal, here: >>>> <https://tools.oasis-open.org/****version-control/svn/oic/**<https://tools.oasis-open.org/**version-control/svn/oic/**> >>>> Advisories/00009-****ProtectionKeySafety/trunk/****description.html< >>>> https://**tools.oasis-open.org/version-**control/svn/oic/Advisories/** >>>> 00009-ProtectionKeySafety/**trunk/description.html<https://tools.oasis-open.org/version-control/svn/oic/Advisories/00009-ProtectionKeySafety/trunk/description.html> >>>> > >>>> >>>> A proposal for more-reliable security of protection passwords >>>> (but not the protections themselves) is before the >>>> OASIS ODF TC: >>>> <https://www.oasis-open.org/****committees/document.php?**** >>>> document_id=46220<https://www.oasis-open.org/**committees/document.php?**document_id=46220> >>>> <https://www.**oasis-open.org/committees/** >>>> document.php?document_id=46220<https://www.oasis-open.org/committees/document.php?document_id=46220> >>>> **> >>>> >>>> . >>>>> >>>> - Dennis >>>> >>>> >>>> >>>> From: Dr. R. O Stapf [mailto:reinhold@stapf-online.****com< >>>> reinhold@stapf-online.**com <reinh...@stapf-online.com>> >>>> ] >>>> Sent: Tuesday, October 16, 2012 06:30 >>>> To: users@global.libreoffice.org >>>> Subject: Re: [libreoffice-users] Re: how to crack a PW in LO? >>>> >>>> you are perfectly right about this!!! >>>> >>>> >>>> On 16.10.2012 22:22, Andrew Douglas Pitonyak wrote: >>>> >>>> Unless you have a lot of time to kill (days, weeks, months, etc), you >>>>> are much better off not >>>>> forgetting your password. >>>>> >>>>> -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
