Your description of the available password protection options is what is typically said on the en forum. I don't recall anyone ever suggesting that users avoid password protection, though I don't read every post. Best regards, Francis
On Tue, Dec 17, 2013 at 1:44 PM, Rob Weir <robw...@apache.org> wrote: > I noticed this note, which I thought was odd: > > http://listarchives.libreoffice.org/global/users/msg35699.html > > I'm hoping this is just a confusion, but we do need to be careful to > avoid confusion in this area, since it can cause users to panic. > > The facts, as I understand them: > > There are two features in OpenOffice (and in LibreOffice and Microsoft > Office) that users refer to when they talk about passwords: > > 1) Password protected encrypted documents > > 2) Password protected sections, cells, read-only files, etc. > > An encrypted document is as good as your password. We use good, high > quality encryption in ODF documents by default. And we use MS Office > compatible encryption, which is also good, with Office files. > > But in practice most users have far weaker passwords than they should. > The context of a password protected file is much more vulnerable than > a website password. A typical website will allow you to attempt a log > in 3 or 5 times before locking you out for an hour or more. But > someone who has your encrypted document can attempt to guess the > password without any such restriction. They can run sophisticated > programs, standalone password crackers, with GPU hardware acceleration > to attempt billions of passwords. So a casual password of 6 > alphanumeric characters will be quickly broken. So given the context > users should be using longer, more complex passwords. Of course, that > makes it more likely that they will forget the password and show up on > the forums when they forget. However you look at it, document-based > passwords are a 1985 solution to a problem that is better solved today > in other ways. > > As for the protected sections, we should all know that these are > "honor system" protection mechanisms, essentially child safety locks, > and offer no real cryptographic protection. This is true in MS Office > is well. The feature is there to help the user define sections that > they don't want accidentally deleted, but the password protection can > be trivially defeated in 30 seconds with a text editor and a copy of > unzip. This is not a flaw in OpenOffice. This is not a bug. This is > how the feature was designed and has been used in Microsoft Office and > even 1-2-3 before then. > > Hopefully we're telling users something that is consistent with what I > outlined above. Of course, it is quite possible that many users will > not understand this and all they hear is "My password can be broken so > OpenOffice is bad". > > Regards, > > -Rob > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org > For additional commands, e-mail: dev-h...@openoffice.apache.org > >
