For the sake of safety, hopefully these are merely fancy advertising
schemes ;-)
BUT judging by the number of hackers able to steal data in recent
years, these programs may be working ;-(
To be conned or not to be conned by these criminal types, seems to
boil down to using common sense -
something folks once acquired and used; today common sense seems
to have died ;-(
On Tue, Oct 16, 2012 at 9:07 PM, rost52 <[email protected]> wrote:
Dennis,
> When I am reading your long and excellent explanation, I wonder again how
> some PW removing tools, which offer a demo with opening the file or showing
> the PW removed, can claim that the file could be open within a few seconds
> to a minute?
>
>
>
> On 16.10.2012 23:34, Dennis E. Hamilton wrote:
>
>> It is important to separate the use of passwords to set
>> protections from use of a password to encrypt the document.
>>
>> Only "Save with Password" provides cryptographic security
>> of the document.
>>
>> The "Save with Password" encryption is difficult to attack.
>> The password is usually the weakest point and the password
>> may fall to a variety of attacks that use pre-computed
>> dictionaries of SHA1 digests and other brute-force
>> techniques. It is also possible that an attack may break
>> the encryption without discovering the password itself.
>> All of these attacks are believed to required great effort.
>> In general, one should expect that a password used in
>> "Save with Password" is not discoverable unless it is
>> carelessly chosen or heavily reused.
>>
>> The harder the password is to attack, the harder it is
>> to recover, of course.
>>
>> In contrast, all of the protection settings are insecure.
>>
>> The protections are trivial to remove. It can be done
>> by any knowledgeable user with a Zip utility and an XML
>> editor. It is not necessary to know the password to
>> remove the protection. However, all passwords used in
>> making protection settings should be considered compromised.
>> That is because the document stores an SHA1 or other unsalted
>> hash in "plain view" in the document. These hashes are
>> cracked with ease using conventional systems. A password
>> used to set a protection should not be used for any
>> more-private purpose. In particular, if the same passwords
>> are used for protections on unencrypted documents and for
>> saving with password (encryption), the encryption can be
>> broken directly using the SHA1 digest from the protection
>> setting.
>>
>> Protection settings are on spreadsheet fields and sheets.
>> There are protection settings on text as well. The
>> protection against altering change-tracking and the
>> protection for keeping a document read-only are all of
>> this kind. The protection is useful for avoiding mistaken
>> alterations.
>>
>> It is easy for all of these protections to be removed, the
>> document altered, and the protections restored with the
>> very same unlocking password without ever having to
>> know the password.
>>
>> A digital signature can prevent the document from undetected
>> alterations, but that doesn't work for turnaround documents
>> where some alterations are meant to be allowed.
>>
>> There is more explanation of the use and risk of protections,
>> and their removal, here:
>> <https://tools.oasis-open.org/**version-control/svn/oic/**
>> Advisories/00009-**ProtectionKeySafety/trunk/**description.html<https://tools.oasis-open.org/version-control/svn/oic/Advisories/00009-ProtectionKeySafety/trunk/description.html>
>> >
>>
>> A proposal for more-reliable security of protection passwords
>> (but not the protections themselves) is before the
>> OASIS ODF TC:
>> <https://www.oasis-open.org/**committees/document.php?**document_id=46220<https://www.oasis-open.org/committees/document.php?document_id=46220>
>> >.
>>
>> - Dennis
>>
>>
>> -----Original Message-----
>> From: Dr. R. O Stapf
>> [mailto:reinhold@stapf-online.**com<[email protected]>
>> ]
>> Sent: Tuesday, October 16, 2012 06:30
>> To: [email protected]
>> Subject: Re: [libreoffice-users] Re: how to crack a PW in LO?
>>
>> you are perfectly right about this!!!
>>
>>
>> On 16.10.2012 22:22, Andrew Douglas Pitonyak wrote:
>>
>>> Unless you have a lot of time to kill (days, weeks, months, etc), you
>>> are much better off not
>>> forgetting your password.
>>>
>>
>>
--
For unsubscribe instructions e-mail to: [email protected]
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted
