On Thu, Dec 19, 2013 at 4:02 PM, Hagar Delest <hagar.del...@laposte.net> wrote: > Top posting. > For the record, a query about password topics: > https://forum.openoffice.org/en/forum/search.php?keywords=password&terms=all&author=&sc=1&sf=all&sr=topics&sk=t&sd=d&st=0&ch=300&t=0&submit=Search >
Thanks for the additional information. But have we seen a reproducible bug reported in this area? It reminds me of a police report in the local paper I read a few years ago. An old lady calls the police to report a stolen ring. She had just had the interior of her house painted and she thinks the painters stole the ring. The police ask her for details, including when she last saw the ring. She says that the last time she saw the ring was 10 years ago. ;-) Of course, you can see what happened. She only checked for the ring because there were strangers in the house. But it was probably misplaced many years ago. Same thing with an upgrade. When you upgrade you might load a bunch of old files to see how they render. If something doesn't work you blame it on the upgrade. But the file might have been damaged previously. Of course, I can't prove this, but it would be unlikely to have a longstanding bug in this area that was not reproducible. But if we did I'd suspect it would demand on a specific combination of operating system and the character set used for entering the password, e.g., was it in Chinese characters, Thai, or something that can be entered in ASCII or Latin-1. It is probably true that testing in this area is mainly with the simpler character sets. Regards, -Rob > Indeed, we are several users advising to switch from AOO password to 3rd > party password (pwd archive for example). > We have seen some cases of data loss. See: > - https://forum.openoffice.org/en/forum/viewtopic.php?f=7&t=65258 > - https://forum.openoffice.org/en/forum/viewtopic.php?f=9&t=55698 > - https://forum.openoffice.org/en/forum/viewtopic.php?f=7&t=54816 (not much > information, I agree) > - https://forum.openoffice.org/en/forum/viewtopic.php?f=9&t=10401 (with a > fix) > > Other issues: > - https://forum.openoffice.org/en/forum/viewtopic.php?f=6&t=49537 > - https://forum.openoffice.org/en/forum/viewtopic.php?f=9&t=64901 > - https://forum.openoffice.org/en/forum/viewtopic.php?f=9&t=63279 > - https://forum.openoffice.org/en/forum/viewtopic.php?f=9&t=54865 > > I remember some other topics but couldn't find them right now. I confirm > that we are talking about the file encryption and that in most cases, there > is no question on the password itself > > Hagar > > > Le 17/12/2013 21:44, Rob Weir a écrit : > >> I noticed this note, which I thought was odd: >> >> http://listarchives.libreoffice.org/global/users/msg35699.html >> >> I'm hoping this is just a confusion, but we do need to be careful to >> avoid confusion in this area, since it can cause users to panic. >> >> The facts, as I understand them: >> >> There are two features in OpenOffice (and in LibreOffice and Microsoft >> Office) that users refer to when they talk about passwords: >> >> 1) Password protected encrypted documents >> >> 2) Password protected sections, cells, read-only files, etc. >> >> An encrypted document is as good as your password. We use good, high >> quality encryption in ODF documents by default. And we use MS Office >> compatible encryption, which is also good, with Office files. >> >> But in practice most users have far weaker passwords than they should. >> The context of a password protected file is much more vulnerable than >> a website password. A typical website will allow you to attempt a log >> in 3 or 5 times before locking you out for an hour or more. But >> someone who has your encrypted document can attempt to guess the >> password without any such restriction. They can run sophisticated >> programs, standalone password crackers, with GPU hardware acceleration >> to attempt billions of passwords. So a casual password of 6 >> alphanumeric characters will be quickly broken. So given the context >> users should be using longer, more complex passwords. Of course, that >> makes it more likely that they will forget the password and show up on >> the forums when they forget. However you look at it, document-based >> passwords are a 1985 solution to a problem that is better solved today >> in other ways. >> >> As for the protected sections, we should all know that these are >> "honor system" protection mechanisms, essentially child safety locks, >> and offer no real cryptographic protection. This is true in MS Office >> is well. The feature is there to help the user define sections that >> they don't want accidentally deleted, but the password protection can >> be trivially defeated in 30 seconds with a text editor and a copy of >> unzip. This is not a flaw in OpenOffice. This is not a bug. This is >> how the feature was designed and has been used in Microsoft Office and >> even 1-2-3 before then. >> >> Hopefully we're telling users something that is consistent with what I >> outlined above. Of course, it is quite possible that many users will >> not understand this and all they hear is "My password can be broken so >> OpenOffice is bad". >> >> Regards, >> >> -Rob >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org >> For additional commands, e-mail: dev-h...@openoffice.apache.org >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org > For additional commands, e-mail: dev-h...@openoffice.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
