Hi :) It's easy to create an extremely secure system. The problem is that people then want access to it. Immediately that creates a weakness. Then they want it to be easy access and if they get that then there is no security. After making a system weak they then complain about it being weak and want to upgrade the system and blame the people that setup the previous system for failing to keep it secure.
Most of the fight in creating a secure system is not technical. It's about convincing people not to subvert their own security. Regards from Tom :) >________________________________ > From: Steve Edmonds <[email protected]> >To: [email protected] >Cc: 'Sandy Harris' <[email protected]>; [email protected] >Sent: Saturday, 20 October 2012, 23:23 >Subject: Re: [libreoffice-users] Re: how to crack a PW in LO? > >It is interesting how insecure password protection is, and how we forgo >security for convenience, I recently had to gain access to a Win7 >machine with lost administrator PW. It was trivial but led me and a work >colleague to rainbow tables, GPU cracking and just how fast a PW can be >cracked. Our discussions got to slowing things down, double encrypt with >different methods (encrypt content with RSA using a hash from a long >random password) or not allow automated PW entry (capcha with PW entry). >Either way it becomes inconvenient and therefore will probably not be used. > >Steve > >On 2012-10-21 09:30, Dennis E. Hamilton wrote: >> Oh, why is (7) considered Good News, below? >> >> Well, it takes 45*365+197 > 16,500 cooperating culprits to crack a >> 7-character random password in 1 day. >> >> If that seems too feasible (it might be), try a challenging length, like 16 >> characters. Just remember the Worse News, (8) in my previous message. >> >> At some point, it is necessary to abandon passwords as reliable for >> protecting the privacy of encrypted documents. All they do is increase the >> risk that an ordinary user will lose a password and not be able to open one >> of their own private documents. >> >> - Dennis >> >> >> -----Original Message----- >> From: Dennis E. Hamilton [mailto:[email protected]] >> Sent: Saturday, October 20, 2012 13:15 >> To: 'Sandy Harris'; [email protected] >> Subject: RE: [libreoffice-users] Re: how to crack a PW in LO? >> >> [ ... ] >> >> 6. GOOD NEWS #1 (for now): Even allowing for (4-5), the estimates for >>longer passwords are heartening: >> >> Pwd Accent OFFICE >> Length Time Estimate (same conditions) >> <5 27m03s >> <6 1d19h >> <7 173d3h >> <8 45y197d >> >> You can see why length and random selection from the full 95 ASCII >>codes matters. Using larger character sets is even better, of course. I >>routinely use 15-character randomly-chosen passwords that are never used for >>more than one purpose. >> >> 7. GOOD NEWS #2 (for now): It is possible to crowd-source this work on >>multiple processors or as a challenge with multiple hackers over the >>internet, where the attack space is subdivided. Normally, one would not want >>to share the document, especially if its decryption is extremely valuable. >>However, there are parts of encrypted ODF documents that are benign and >>usable in a community/cloud-based attack. Once the password is recovered for >>that portion, the holder of the complete document can decrypt all of it. >> >> [ ... ] >> >> > > >-- >For unsubscribe instructions e-mail to: [email protected] >Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ >Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette >List archive: http://listarchives.libreoffice.org/global/users/ >All messages sent to this list will be publicly archived and cannot be deleted > > > -- For unsubscribe instructions e-mail to: [email protected] Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
