Re: [libreoffice-users] Re: how to crack a PW in LO?
On 20-10-12 01:47, anne-ology wrote: Yet an employer has the right to hire those employees he feels will fit into his company, benefiting him, his company and its bottom line. IF someone acts like a fool, as placing lewd photos of himself or using abusive and/or blasphemous language on line, then that employer should have the right to exclude that interviewer from consideration into his company. In fact, I can name quite a few people who have shut their companies down because federal regulations got too hectic - and many will be shutting their doors by next year, if the socialists continue to prosper in DC instead of restoring the US to that which our forefathers' foresaw. Europe is falling into the hands of these non-thinking ones who must think that money grows on trees rather than stemming from the hard work of the industrious ones; remember Chicken Little. anne-ology, This is not the first time you show your ignorance about the real world in Europe. Your laws let the USA look like a story by George Orwell. Apparently you also have no idea what the word socialist means and repeats only the indoctrination by your ultra-right wing media garbage. Please abstain from these useless slanderous remarks, J.L. Blom, The Netherlands -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] Re: how to crack a PW in LO?
Hi :) It's easy to create an extremely secure system. The problem is that people then want access to it. Immediately that creates a weakness. Then they want it to be easy access and if they get that then there is no security. After making a system weak they then complain about it being weak and want to upgrade the system and blame the people that setup the previous system for failing to keep it secure. Most of the fight in creating a secure system is not technical. It's about convincing people not to subvert their own security. Regards from Tom :) From: Steve Edmonds steve.edmo...@ptglobal.com To: dennis.hamil...@acm.org Cc: 'Sandy Harris' sandyinch...@gmail.com; users@global.libreoffice.org Sent: Saturday, 20 October 2012, 23:23 Subject: Re: [libreoffice-users] Re: how to crack a PW in LO? It is interesting how insecure password protection is, and how we forgo security for convenience, I recently had to gain access to a Win7 machine with lost administrator PW. It was trivial but led me and a work colleague to rainbow tables, GPU cracking and just how fast a PW can be cracked. Our discussions got to slowing things down, double encrypt with different methods (encrypt content with RSA using a hash from a long random password) or not allow automated PW entry (capcha with PW entry). Either way it becomes inconvenient and therefore will probably not be used. Steve On 2012-10-21 09:30, Dennis E. Hamilton wrote: Oh, why is (7) considered Good News, below? Well, it takes 45*365+197 16,500 cooperating culprits to crack a 7-character random password in 1 day. If that seems too feasible (it might be), try a challenging length, like 16 characters. Just remember the Worse News, (8) in my previous message. At some point, it is necessary to abandon passwords as reliable for protecting the privacy of encrypted documents. All they do is increase the risk that an ordinary user will lose a password and not be able to open one of their own private documents. - Dennis -Original Message- From: Dennis E. Hamilton [mailto:dennis.hamil...@acm.org] Sent: Saturday, October 20, 2012 13:15 To: 'Sandy Harris'; users@global.libreoffice.org Subject: RE: [libreoffice-users] Re: how to crack a PW in LO? [ ... ] 6. GOOD NEWS #1 (for now): Even allowing for (4-5), the estimates for longer passwords are heartening: Pwd Accent OFFICE Length Time Estimate (same conditions) 5 27m03s 6 1d19h 7 173d3h 8 45y197d You can see why length and random selection from the full 95 ASCII codes matters. Using larger character sets is even better, of course. I routinely use 15-character randomly-chosen passwords that are never used for more than one purpose. 7. GOOD NEWS #2 (for now): It is possible to crowd-source this work on multiple processors or as a challenge with multiple hackers over the internet, where the attack space is subdivided. Normally, one would not want to share the document, especially if its decryption is extremely valuable. However, there are parts of encrypted ODF documents that are benign and usable in a community/cloud-based attack. Once the password is recovered for that portion, the holder of the complete document can decrypt all of it. [ ... ] -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
RE: [libreoffice-users] Re: how to crack a PW in LO?
In terms of password-based encryption, the vulnerability to direct attack on the password has not changed measurably since ODF 1.0. However, the advances in processor performance have made many more attacks feasible. The move from Blowfish and 8-bit CFB (default) to (optional) AES-CBC has also reduced the amount of work required in an attack because modern processor chips have special instructions to make AES go faster, speeding the trial of different passwords as successful for decryption. Modern x64 processors with fast graphics GPUs help accelerate other stages of an attack as well. The heavy lifting is in creating hashes of trial passwords and then carrying out a key generation process to set up a decryption attempt. There are built in time delays, although the default delay count (1024) is not that daunting. These actions increase the work factor for a password attack, but poor password choices still yield easily. There are also features of OpenOffice-lineage encrypted documents that assist an attack in determining whether it has found a promising decryption or not. TRIAL DECRYPTION I created a Save with Password document using a 4 character password chosen randomly from the full ASCII 95-character set. I used the trial version of Accent OFFICE Password Recovery 7.10 build 2425 x64, available from http://passwordrecoverytools.com/office-password.asp. That release is from July of 2012. I used a Dell Studio XPS 9000 with x64 i7-980 (12 cores @ 3.33GHz), 18GB RAM, and ATI Radeon HD 5980 dual GPU. I am running Windows 7 Ultimate x64 SP1. The Accent OFFICE software does not recognize my GPU so it just pounded the CPU cores. (I have never heard my computer fans work so hard as with this software.) 1. For the document saved from LibreOffice 3.6.2, Accent OFFICE does not recognize the ODF 1.2 use of AES and could not handle the document. (This is doubtless a temporary condition and determined attackers are certainly not so limited.) 2. With the same document and password encrypted in the ODF 1.2 default Blowfish, Accent OFFICE's default attempt had an estimated run time of 1h18m and proposed a test of 235 million passwords. That attempt failed in the 30 minute time-limit of the trial version. 3. I repeated (2) using the option to make a brute-force attack. I specified that characters from the set of all ASCII printable characters (95) were used and that there were not more than 4 characters. The estimate was 85,828,704 tries and 27m03s. In fact, the password was found in under 10 minutes. (I had stepped away that long.) PREDICTIONS 4. BAD NEWS #1: When such software also handles the ODF 1.2 AES options, it will take no longer, perhaps even less time. 5. BAD NEWS #2: No GPU power was applied to this problem. It might not have mattered, but it won't be worse and could provide even more rapid decryption. 6. GOOD NEWS #1 (for now): Even allowing for (4-5), the estimates for longer passwords are heartening: Pwd Accent OFFICE Length Time Estimate (same conditions) 5 27m03s 6 1d19h 7 173d3h 8 45y197d You can see why length and random selection from the full 95 ASCII codes matters. Using larger character sets is even better, of course. I routinely use 15-character randomly-chosen passwords that are never used for more than one purpose. 7. GOOD NEWS #2 (for now): It is possible to crowd-source this work on multiple processors or as a challenge with multiple hackers over the internet, where the attack space is subdivided. Normally, one would not want to share the document, especially if its decryption is extremely valuable. However, there are parts of encrypted ODF documents that are benign and usable in a community/cloud-based attack. Once the password is recovered for that portion, the holder of the complete document can decrypt all of it. 8. WORSE NEWS #3: The kinds of passwords that folks routinely use to encrypt their own files remain easy to discover. The default 1h14m estimate will probably snag them. This makes recovery of a lost password feasible but it also means the privacy of the password and of the encrypted file is not what you might wish it to be were such a document to leave your personal possession. - Dennis -Original Message- From: Sandy Harris [mailto:sandyinch...@gmail.com] Sent: Friday, October 19, 2012 21:29 To: users@global.libreoffice.org Subject: Re: [libreoffice-users] Re: how to crack a PW in LO? Googling on open office password crack turns up dozens of things. Here's one that looks real, if outdated: http://www.theregister.co.uk/2007/04/20/openoffice_password_crack/ That's 2007; we can hope O-O have improved the system since then Anyone know? The best-known purveyors of commercial password cracking services are Elcomsoft. PDFs, Word Documents, ... This Elcomsoft presentation on Adobe e-book passwords
RE: [libreoffice-users] Re: how to crack a PW in LO?
Oh, why is (7) considered Good News, below? Well, it takes 45*365+197 16,500 cooperating culprits to crack a 7-character random password in 1 day. If that seems too feasible (it might be), try a challenging length, like 16 characters. Just remember the Worse News, (8) in my previous message. At some point, it is necessary to abandon passwords as reliable for protecting the privacy of encrypted documents. All they do is increase the risk that an ordinary user will lose a password and not be able to open one of their own private documents. - Dennis -Original Message- From: Dennis E. Hamilton [mailto:dennis.hamil...@acm.org] Sent: Saturday, October 20, 2012 13:15 To: 'Sandy Harris'; users@global.libreoffice.org Subject: RE: [libreoffice-users] Re: how to crack a PW in LO? [ ... ] 6. GOOD NEWS #1 (for now): Even allowing for (4-5), the estimates for longer passwords are heartening: Pwd Accent OFFICE Length Time Estimate (same conditions) 5 27m03s 6 1d19h 7 173d3h 8 45y197d You can see why length and random selection from the full 95 ASCII codes matters. Using larger character sets is even better, of course. I routinely use 15-character randomly-chosen passwords that are never used for more than one purpose. 7. GOOD NEWS #2 (for now): It is possible to crowd-source this work on multiple processors or as a challenge with multiple hackers over the internet, where the attack space is subdivided. Normally, one would not want to share the document, especially if its decryption is extremely valuable. However, there are parts of encrypted ODF documents that are benign and usable in a community/cloud-based attack. Once the password is recovered for that portion, the holder of the complete document can decrypt all of it. [ ... ] -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] Re: how to crack a PW in LO?
It is interesting how insecure password protection is, and how we forgo security for convenience, I recently had to gain access to a Win7 machine with lost administrator PW. It was trivial but led me and a work colleague to rainbow tables, GPU cracking and just how fast a PW can be cracked. Our discussions got to slowing things down, double encrypt with different methods (encrypt content with RSA using a hash from a long random password) or not allow automated PW entry (capcha with PW entry). Either way it becomes inconvenient and therefore will probably not be used. Steve On 2012-10-21 09:30, Dennis E. Hamilton wrote: Oh, why is (7) considered Good News, below? Well, it takes 45*365+197 16,500 cooperating culprits to crack a 7-character random password in 1 day. If that seems too feasible (it might be), try a challenging length, like 16 characters. Just remember the Worse News, (8) in my previous message. At some point, it is necessary to abandon passwords as reliable for protecting the privacy of encrypted documents. All they do is increase the risk that an ordinary user will lose a password and not be able to open one of their own private documents. - Dennis -Original Message- From: Dennis E. Hamilton [mailto:dennis.hamil...@acm.org] Sent: Saturday, October 20, 2012 13:15 To: 'Sandy Harris'; users@global.libreoffice.org Subject: RE: [libreoffice-users] Re: how to crack a PW in LO? [ ... ] 6. GOOD NEWS #1 (for now): Even allowing for (4-5), the estimates for longer passwords are heartening: Pwd Accent OFFICE Length Time Estimate (same conditions) 5 27m03s 6 1d19h 7 173d3h 8 45y197d You can see why length and random selection from the full 95 ASCII codes matters. Using larger character sets is even better, of course. I routinely use 15-character randomly-chosen passwords that are never used for more than one purpose. 7. GOOD NEWS #2 (for now): It is possible to crowd-source this work on multiple processors or as a challenge with multiple hackers over the internet, where the attack space is subdivided. Normally, one would not want to share the document, especially if its decryption is extremely valuable. However, there are parts of encrypted ODF documents that are benign and usable in a community/cloud-based attack. Once the password is recovered for that portion, the holder of the complete document can decrypt all of it. [ ... ] -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] Re: how to crack a PW in LO?
For the sake of safety, hopefully these are merely fancy advertising schemes ;-) BUT judging by the number of hackers able to steal data in recent years, these programs may be working ;-( To be conned or not to be conned by these criminal types, seems to boil down to using common sense - something folks once acquired and used; today common sense seems to have died ;-( On Tue, Oct 16, 2012 at 9:07 PM, rost52 bugquestcon...@online.de wrote: Dennis, When I am reading your long and excellent explanation, I wonder again how some PW removing tools, which offer a demo with opening the file or showing the PW removed, can claim that the file could be open within a few seconds to a minute? On 16.10.2012 23:34, Dennis E. Hamilton wrote: It is important to separate the use of passwords to set protections from use of a password to encrypt the document. Only Save with Password provides cryptographic security of the document. The Save with Password encryption is difficult to attack. The password is usually the weakest point and the password may fall to a variety of attacks that use pre-computed dictionaries of SHA1 digests and other brute-force techniques. It is also possible that an attack may break the encryption without discovering the password itself. All of these attacks are believed to required great effort. In general, one should expect that a password used in Save with Password is not discoverable unless it is carelessly chosen or heavily reused. The harder the password is to attack, the harder it is to recover, of course. In contrast, all of the protection settings are insecure. The protections are trivial to remove. It can be done by any knowledgeable user with a Zip utility and an XML editor. It is not necessary to know the password to remove the protection. However, all passwords used in making protection settings should be considered compromised. That is because the document stores an SHA1 or other unsalted hash in plain view in the document. These hashes are cracked with ease using conventional systems. A password used to set a protection should not be used for any more-private purpose. In particular, if the same passwords are used for protections on unencrypted documents and for saving with password (encryption), the encryption can be broken directly using the SHA1 digest from the protection setting. Protection settings are on spreadsheet fields and sheets. There are protection settings on text as well. The protection against altering change-tracking and the protection for keeping a document read-only are all of this kind. The protection is useful for avoiding mistaken alterations. It is easy for all of these protections to be removed, the document altered, and the protections restored with the very same unlocking password without ever having to know the password. A digital signature can prevent the document from undetected alterations, but that doesn't work for turnaround documents where some alterations are meant to be allowed. There is more explanation of the use and risk of protections, and their removal, here: https://tools.oasis-open.org/**version-control/svn/oic/** Advisories/9-**ProtectionKeySafety/trunk/**description.htmlhttps://tools.oasis-open.org/version-control/svn/oic/Advisories/9-ProtectionKeySafety/trunk/description.html A proposal for more-reliable security of protection passwords (but not the protections themselves) is before the OASIS ODF TC: https://www.oasis-open.org/**committees/document.php?**document_id=46220https://www.oasis-open.org/committees/document.php?document_id=46220 . - Dennis -Original Message- From: Dr. R. O Stapf [mailto:reinhold@stapf-online.**comreinh...@stapf-online.com ] Sent: Tuesday, October 16, 2012 06:30 To: users@global.libreoffice.org Subject: Re: [libreoffice-users] Re: how to crack a PW in LO? you are perfectly right about this!!! On 16.10.2012 22:22, Andrew Douglas Pitonyak wrote: Unless you have a lot of time to kill (days, weeks, months, etc), you are much better off not forgetting your password. -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] Re: how to crack a PW in LO?
Yet an employer has the right to hire those employees he feels will fit into his company, benefiting him, his company and its bottom line. IF someone acts like a fool, as placing lewd photos of himself or using abusive and/or blasphemous language on line, then that employer should have the right to exclude that interviewer from consideration into his company. In fact, I can name quite a few people who have shut their companies down because federal regulations got too hectic - and many will be shutting their doors by next year, if the socialists continue to prosper in DC instead of restoring the US to that which our forefathers' foresaw. Europe is falling into the hands of these non-thinking ones who must think that money grows on trees rather than stemming from the hard work of the industrious ones; remember Chicken Little. On Tue, Oct 16, 2012 at 10:38 PM, Jay Lozier jsloz...@gmail.com wrote: On 10/16/2012 09:12 PM, rost52 wrote: I attended last week a seminar on the the legal situation with social networks. The presenting US lawyer mentioned that even in the US asking for FB passwords is illegal. On 16.10.2012 22:59, Jay Lozier wrote: Anyone asking for my Facebook password in a job interview is out of luck; I do not know it because I use a password manager and each password I use is generated per account It has not stopped people from asking in a job interview. In most US states it is no explicitly illegal nor is it explicitly illegal in US Federal law. A couple of counter arguments would be: Do you really want me to violate my contract with Facebook?, or Do you realize you are asking me to violate one the most basic tenets of computer security; never reveal your log in credentials to anyone? The first implies that they will ask you to potentially violate a contract or, worse, the law. The second implies they are stupid and are very cavalier about protecting corporate assets. Under US labor law asking the question potentially allows the employer to find out information that they can not legally ask in an interview. This is the primary legal challenge to the question that is an implicit illegal question by the employer. I can truthfully say I do not know my Facebook or virtually any other password because I use a password manager to generate and store them. And I am not in the habit of carrying the file and the manager around on a USB stick. -- Jay Lozier -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] Re: how to crack a PW in LO?
On 10/19/2012 07:32 PM, anne-ology wrote: For the sake of safety, hopefully these are merely fancy advertising schemes ;-) BUT judging by the number of hackers able to steal data in recent years, these programs may be working ;-( To be conned or not to be conned by these criminal types, seems to boil down to using common sense - something folks once acquired and used; today common sense seems to have died ;-( I have seen many lists of the most common passwords such as password, abc123, qwerty, and the like. Plus many reuse their passwords on several sites so a hacker gets several sites at once. On Tue, Oct 16, 2012 at 9:07 PM, rost52 bugquestcon...@online.de wrote: Dennis, When I am reading your long and excellent explanation, I wonder again how some PW removing tools, which offer a demo with opening the file or showing the PW removed, can claim that the file could be open within a few seconds to a minute? On 16.10.2012 23:34, Dennis E. Hamilton wrote: It is important to separate the use of passwords to set protections from use of a password to encrypt the document. Only Save with Password provides cryptographic security of the document. The Save with Password encryption is difficult to attack. The password is usually the weakest point and the password may fall to a variety of attacks that use pre-computed dictionaries of SHA1 digests and other brute-force techniques. It is also possible that an attack may break the encryption without discovering the password itself. All of these attacks are believed to required great effort. In general, one should expect that a password used in Save with Password is not discoverable unless it is carelessly chosen or heavily reused. The harder the password is to attack, the harder it is to recover, of course. In contrast, all of the protection settings are insecure. The protections are trivial to remove. It can be done by any knowledgeable user with a Zip utility and an XML editor. It is not necessary to know the password to remove the protection. However, all passwords used in making protection settings should be considered compromised. That is because the document stores an SHA1 or other unsalted hash in plain view in the document. These hashes are cracked with ease using conventional systems. A password used to set a protection should not be used for any more-private purpose. In particular, if the same passwords are used for protections on unencrypted documents and for saving with password (encryption), the encryption can be broken directly using the SHA1 digest from the protection setting. Protection settings are on spreadsheet fields and sheets. There are protection settings on text as well. The protection against altering change-tracking and the protection for keeping a document read-only are all of this kind. The protection is useful for avoiding mistaken alterations. It is easy for all of these protections to be removed, the document altered, and the protections restored with the very same unlocking password without ever having to know the password. A digital signature can prevent the document from undetected alterations, but that doesn't work for turnaround documents where some alterations are meant to be allowed. There is more explanation of the use and risk of protections, and their removal, here: https://tools.oasis-open.org/**version-control/svn/oic/** Advisories/9-**ProtectionKeySafety/trunk/**description.htmlhttps://tools.oasis-open.org/version-control/svn/oic/Advisories/9-ProtectionKeySafety/trunk/description.html A proposal for more-reliable security of protection passwords (but not the protections themselves) is before the OASIS ODF TC: https://www.oasis-open.org/**committees/document.php?**document_id=46220https://www.oasis-open.org/committees/document.php?document_id=46220 . - Dennis -Original Message- From: Dr. R. O Stapf [mailto:reinhold@stapf-online.**comreinh...@stapf-online.com ] Sent: Tuesday, October 16, 2012 06:30 To: users@global.libreoffice.org Subject: Re: [libreoffice-users] Re: how to crack a PW in LO? you are perfectly right about this!!! On 16.10.2012 22:22, Andrew Douglas Pitonyak wrote: Unless you have a lot of time to kill (days, weeks, months, etc), you are much better off not forgetting your password. -- Jay Lozier jsloz...@gmail.com -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] Re: how to crack a PW in LO?
just shows lack of common sense. On Fri, Oct 19, 2012 at 6:56 PM, Jay Lozier jsloz...@gmail.com wrote: On 10/19/2012 07:32 PM, anne-ology wrote: For the sake of safety, hopefully these are merely fancy advertising schemes ;-) BUT judging by the number of hackers able to steal data in recent years, these programs may be working ;-( To be conned or not to be conned by these criminal types, seems to boil down to using common sense - something folks once acquired and used; today common sense seems to have died ;-( I have seen many lists of the most common passwords such as password, abc123, qwerty, and the like. Plus many reuse their passwords on several sites so a hacker gets several sites at once. On Tue, Oct 16, 2012 at 9:07 PM, rost52 bugquestcon...@online.de wrote: Dennis, When I am reading your long and excellent explanation, I wonder again how some PW removing tools, which offer a demo with opening the file or showing the PW removed, can claim that the file could be open within a few seconds to a minute? On 16.10.2012 23:34, Dennis E. Hamilton wrote: It is important to separate the use of passwords to set protections from use of a password to encrypt the document. Only Save with Password provides cryptographic security of the document. The Save with Password encryption is difficult to attack. The password is usually the weakest point and the password may fall to a variety of attacks that use pre-computed dictionaries of SHA1 digests and other brute-force techniques. It is also possible that an attack may break the encryption without discovering the password itself. All of these attacks are believed to required great effort. In general, one should expect that a password used in Save with Password is not discoverable unless it is carelessly chosen or heavily reused. The harder the password is to attack, the harder it is to recover, of course. In contrast, all of the protection settings are insecure. The protections are trivial to remove. It can be done by any knowledgeable user with a Zip utility and an XML editor. It is not necessary to know the password to remove the protection. However, all passwords used in making protection settings should be considered compromised. That is because the document stores an SHA1 or other unsalted hash in plain view in the document. These hashes are cracked with ease using conventional systems. A password used to set a protection should not be used for any more-private purpose. In particular, if the same passwords are used for protections on unencrypted documents and for saving with password (encryption), the encryption can be broken directly using the SHA1 digest from the protection setting. Protection settings are on spreadsheet fields and sheets. There are protection settings on text as well. The protection against altering change-tracking and the protection for keeping a document read-only are all of this kind. The protection is useful for avoiding mistaken alterations. It is easy for all of these protections to be removed, the document altered, and the protections restored with the very same unlocking password without ever having to know the password. A digital signature can prevent the document from undetected alterations, but that doesn't work for turnaround documents where some alterations are meant to be allowed. There is more explanation of the use and risk of protections, and their removal, here: https://tools.oasis-open.org/version-control/svn/oic/**https://tools.oasis-open.org/**version-control/svn/oic/** Advisories/9-ProtectionKeySafety/trunk/description.html https://**tools.oasis-open.org/version-**control/svn/oic/Advisories/** 9-ProtectionKeySafety/**trunk/description.htmlhttps://tools.oasis-open.org/version-control/svn/oic/Advisories/9-ProtectionKeySafety/trunk/description.html A proposal for more-reliable security of protection passwords (but not the protections themselves) is before the OASIS ODF TC: https://www.oasis-open.org/committees/document.php? document_id=46220https://www.oasis-open.org/**committees/document.php?**document_id=46220 https://www.**oasis-open.org/committees/** document.php?document_id=46220https://www.oasis-open.org/committees/document.php?document_id=46220 ** . - Dennis From: Dr. R. O Stapf [mailto:reinhold@stapf-online.com reinhold@stapf-online.**com reinh...@stapf-online.com ] Sent: Tuesday, October 16, 2012 06:30 To: users@global.libreoffice.org Subject: Re: [libreoffice-users] Re: how to crack a PW in LO? you are perfectly right about this!!! On 16.10.2012 22:22, Andrew Douglas Pitonyak wrote: Unless you have a lot of time to kill (days, weeks, months, etc), you are much better off not forgetting your password. -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org
Re: [libreoffice-users] Re: how to crack a PW in LO?
Googling on open office password crack turns up dozens of things. Here's one that looks real, if outdated: http://www.theregister.co.uk/2007/04/20/openoffice_password_crack/ That's 2007; we can hope O-O have improved the system since then Anyone know? The best-known purveyors of commercial password cracking services are Elcomsoft. PDFs, Word Documents, ... This Elcomsoft presentation on Adobe e-book passwords http://www.cs.cmu.edu/~dst/Adobe/Gallery/ds-defcon/sld001.htm got their employee Dimitri Skylarov arrested, and led to much controversy. Eventually, charges were dropped. Turns out they have one for O-O. http://www.downloadatlas.com/elcomsoft_recovery/openoffice-password-recovery-by-intelore.html -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] Re: how to crack a PW in LO?
On 17.10.2012 12:38, Jay Lozier wrote: On 10/16/2012 09:12 PM, rost52 wrote: I attended last week a seminar on the the legal situation with social networks. The presenting US lawyer mentioned that even in the US asking for FB passwords is illegal. On 16.10.2012 22:59, Jay Lozier wrote: Anyone asking for my Facebook password in a job interview is out of luck; I do not know it because I use a password manager and each password I use is generated per account It has not stopped people from asking in a job interview. In most US states it is no explicitly illegal nor is it explicitly illegal in US Federal law. A couple of counter arguments would be: Do you really want me to violate my contract with Facebook?, or Do you realize you are asking me to violate one the most basic tenets of computer security; never reveal your log in credentials to anyone? The first implies that they will ask you to potentially violate a contract or, worse, the law. The second implies they are stupid and are very cavalier about protecting corporate assets. Under US labor law asking the question potentially allows the employer to find out information that they can not legally ask in an interview. This is the primary legal challenge to the question that is an implicit illegal question by the employer. I can truthfully say I do not know my Facebook or virtually any other password because I use a password manager to generate and store them. And I am not in the habit of carrying the file and the manager around on a USB stick. Great ways out of troubles! Thanks. -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] Re: how to crack a PW in LO?
I meant xls files in MS EXCEL 2003 when I wrote about the short times needed to open them. I protected them against opening. I never tested a LO file so far - hope I never have to!!! Here are some links I checked, however I don't recall what was the result for each link. Most of the links I deleted. I just searched for password remove excel http://www.password-changer.com/ http://www.lostpassword.com/windows.htm http://www.unprotect-excel.com/ http://www.passwordlastic.com/excel-password-recovery-lastic http://www.petri.co.il/excel-password-recovery.htm http://www.freewordexcelpassword.com/ http://www.straxx.com/free-excel-password-remover-2012/ http://www.youtube.com/watch?v=lycQn5a3bPo http://www.youtube.com/watch?v=ik-LfgDwh8I On 17.10.2012 13:05, Dennis E. Hamilton wrote: If you're talking about files with protections, minutes is on the long side. It is trivial to remove protections. If you're talking about Libre Office files created by Save As ... | Save with Password options, I would like to know who is claiming they can do that in any reasonable time. There are some older forms of Microsoft Word save with password that are easy to crack. Not newer ones though. Although I have concerns about the quality of the encryption used in ODF documents (what Save As ... | Save with Password uses), I don't think you're going to find any commodity software that is able to crack those in any feasible time period. If there is, that needs to be widely known. Care to share any links? - Dennis -Original Message- From: rost52 [mailto:bugquestcon...@online.de] Sent: Tuesday, October 16, 2012 19:07 To: dennis.hamil...@acm.org Cc: users@global.libreoffice.org Subject: Re: [libreoffice-users] Re: how to crack a PW in LO? Dennis, When I am reading your long and excellent explanation, I wonder again how some PW removing tools, which offer a demo with opening the file or showing the PW removed, can claim that the file could be open within a few seconds to a minute? [ ... ] -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] Re: how to crack a PW in LO?
Hi :) This is pitiful. OpenSource sometimes has a reputation of being where reformed hackers go when they grow up or when they want more kudos. Maybe the devs list might have ideas? It's just 1 password! It can't be this tough! Maybe that reputation is just more FUD after all! Maybe try with Caps Lock off and then again with Caps Lock on. For some reason it recently seemed to make a difference if Num Lock was on, even when it was on i would have to switch it off and then on again. I thought it was just me but it's happened to me on a few different machines now and on all 3 OSes i commonly use. Hmm, it could still be me. Regards from Tom :) --- On Tue, 16/10/12, Jean-Louis Oneto jl.on...@free.fr wrote: From: Jean-Louis Oneto jl.on...@free.fr Subject: Re: [libreoffice-users] Re: how to crack a PW in LO? To: users@global.libreoffice.org Date: Tuesday, 16 October, 2012, 1:40 I used the following: http://www.crackpdf.com/ but not the Pro version which allows to make brute force attack, but then, they warn you that it will take _a_long_time_ !!! To remove simple protections, it was really fast, but they unlock the file without retrieving the password (or at least they don't display it) Reards, Jean-Louis On 16/10/2012 00:23, Dr. R. O Stapf wrote: On 16.10.2012 03:32, Tom Davies wrote: Hi :) The trick is to try to remember what you might have been thinking about at the time. If that's even possible for anyone! There is no password cracking functionality or Extension for LO it's just the inept way MS fails to implement security. Just double-click on an xls or open LO and drop the xls into it or open LO and choose File - Open to navigate to and open the xls. File opens. My company's finance department asked me to add something to one of their spreadsheets but 'forgot' to tell me the password. One of them rushed down to give me the password but was somewhat mortified to find i had already made the change without having the slightest idea that there even was a password. There was a very cofusing conversation where neither of us had a clue what the other was talking about until i figured it out. The company still uses Excel and still attempts to 'protect' those spreadsheets with passwords that don't work. Occasionally people give me other files they want cracked which gives me a morale dilemma each time. Usually i just give a really half-hearted non-effort and then fob them off. Regards from Tom :) --- On Mon, 15/10/12, Dr. R. O Stapf reinh...@stapf-online.com wrote: From: Dr. R. O Stapf reinh...@stapf-online.com Subject: Re: [libreoffice-users] Re: how to crack a PW in LO? To: users@global.libreoffice.org Date: Monday, 15 October, 2012, 15:30 On 15.10.2012 23:11, Andreas Säger wrote: Am 15.10.2012 15:49, rost52 wrote: LO files can be protected with PWs when doing save as. Fighting currently with an xls file and its lost PW, I wonder how LO files can be cracked? Can the MS related PW remover be used for LO as well? Thanks in advance for comments. xls does not encript your document. The only thing that gets encrypted is the password. Any old version of OpenOffice.org opens a password protected xls ignoring the password. Thanks for the information. It seems that my version of LO 3.5.6.2 is too young to ignore the PW of an xls file. However, my question was how to open an LO file if the PW get forgotten (not and MS file)? Hints are welcome for the future. Thanks to all of you providing me with lots of hints on not to forget passwords or prepare in advance for it. The SW I am using to crack an xls-file runs already for more than 60 h in the background. It's a nothing to loose only to win job. 6 or 8 digits alphanumeric no special characters is the PW used. Thereafter I will make a test cracking an LO file. The only thing which makes me wonder is that there are PW removing SW commercially availabe which run demos and claim within 10 - 30 sec they could remove the PW but open the xls file only when I purchase a full license. Does someone has experience with such a SW? -- Jean-Louis Oneto email: jl.on...@free.fr -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] Re: how to crack a PW in LO?
I wrote my own password cracker for OOo files, but as you found, they run for a very long time. I did it just to see how well it would, or would not work. Unless you have a lot of time to kill (days, weeks, months, etc), you are much better off not forgetting your password. -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] Re: how to crack a PW in LO?
you are perfectly right about this!!! On 16.10.2012 22:22, Andrew Douglas Pitonyak wrote: Unless you have a lot of time to kill (days, weeks, months, etc), you are much better off not forgetting your password. -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] Re: how to crack a PW in LO?
On 10/16/2012 04:15 AM, Tom Davies wrote: Hi :) This is pitiful. OpenSource sometimes has a reputation of being where reformed hackers go when they grow up or when they want more kudos. Maybe the devs list might have ideas? It's just 1 password! It can't be this tough! Maybe that reputation is just more FUD after all! Maybe try with Caps Lock off and then again with Caps Lock on. For some reason it recently seemed to make a difference if Num Lock was on, even when it was on i would have to switch it off and then on again. I thought it was just me but it's happened to me on a few different machines now and on all 3 OSes i commonly use. Hmm, it could still be me. Regards from Tom :) Password cracking is not a hacking problem but statistical problem. On a typical US keyboard there are 46 keys that generate 2 characters each for a total of 92 possible characters for each character in a password. If you have no restrictions on character use you have 92^x possible characters in the password where x is the password length. If x is large then the time to crack will increase very rapidly. For example if your password is a word with or without simple substitutions (eg. su6t1tUt10ns) and punctuation at the end it is susceptible to a dictionary attack. If your password is random gibberish (e.g. TW.TI??RX%LckW@pgeiAl}C$YWH7mLa{;MbrDQ^'qiWv*x8|9.aiGJVK52 ) that includes any character on the keyboard in a random order then it will take longer because a dictionary attack will not work and each possible combination must be tested.The length of your password affects how many possible guesses must be made. With a particular computer(s) you have fairly fixed rate of how many guesses per minute you can estimate the approximate time it will take to break a password. The example above is 64 characters of gibberish and if you do not know what the password length is you must each possible combination of characters starting with 1 (or some other known minimum). Potentially you may need to test 92^64 + 92^63 + 92 ^ 62 + ... + 92^1 possible combinations for the password. I use a password manager that I can set the length of the password to an arbitrary length and have it generate string of gibberish that I do not memorize. Anyone asking for my Facebook password in a job interview is out of luck; I do not know it because I use a password manager and each password I use is generated per account. --- On Tue, 16/10/12, Jean-Louis Oneto jl.on...@free.fr wrote: From: Jean-Louis Oneto jl.on...@free.fr Subject: Re: [libreoffice-users] Re: how to crack a PW in LO? To: users@global.libreoffice.org Date: Tuesday, 16 October, 2012, 1:40 I used the following: http://www.crackpdf.com/ but not the Pro version which allows to make brute force attack, but then, they warn you that it will take _a_long_time_ !!! To remove simple protections, it was really fast, but they unlock the file without retrieving the password (or at least they don't display it) Reards, Jean-Louis On 16/10/2012 00:23, Dr. R. O Stapf wrote: On 16.10.2012 03:32, Tom Davies wrote: Hi :) The trick is to try to remember what you might have been thinking about at the time. If that's even possible for anyone! There is no password cracking functionality or Extension for LO it's just the inept way MS fails to implement security. Just double-click on an xls or open LO and drop the xls into it or open LO and choose File - Open to navigate to and open the xls. File opens. My company's finance department asked me to add something to one of their spreadsheets but 'forgot' to tell me the password. One of them rushed down to give me the password but was somewhat mortified to find i had already made the change without having the slightest idea that there even was a password. There was a very cofusing conversation where neither of us had a clue what the other was talking about until i figured it out. The company still uses Excel and still attempts to 'protect' those spreadsheets with passwords that don't work. Occasionally people give me other files they want cracked which gives me a morale dilemma each time. Usually i just give a really half-hearted non-effort and then fob them off. Regards from Tom :) --- On Mon, 15/10/12, Dr. R. O Stapf reinh...@stapf-online.com wrote: From: Dr. R. O Stapf reinh...@stapf-online.com Subject: Re: [libreoffice-users] Re: how to crack a PW in LO? To: users@global.libreoffice.org Date: Monday, 15 October, 2012, 15:30 On 15.10.2012 23:11, Andreas Säger wrote: Am 15.10.2012 15:49, rost52 wrote: LO files can be protected with PWs when doing save as. Fighting currently with an xls file and its lost PW, I wonder how LO files can be cracked? Can the MS related PW remover be used for LO as well? Thanks in advance for comments. xls does not encript your document. The only thing that gets encrypted is the password. Any old version of OpenOffice.org opens
Re: [libreoffice-users] Re: how to crack a PW in LO?
Hi Jay :) That is an interesting idea - not to know your own password(s). You definitely can't forget what you don't know. Worth following that concept .. One of my friends would set his sharable password to iwonttell (I won't tell). He then would keep fighting back and forth for sometime when somebody would request him his password and get offended by the dramatic answer. He would explain just before something broke down that the string he uttered is to be taken as password and not as a meaningful statement! regards, - Viral Orpe :) . I use a password manager that I can set the length of the password to an arbitrary length and have it generate string of gibberish that I do not memorize. Anyone asking for my Facebook password in a job interview is out of luck; I do not know it because I use a password manager and each password I use is generated per account.. -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
RE: [libreoffice-users] Re: how to crack a PW in LO?
It is important to separate the use of passwords to set protections from use of a password to encrypt the document. Only Save with Password provides cryptographic security of the document. The Save with Password encryption is difficult to attack. The password is usually the weakest point and the password may fall to a variety of attacks that use pre-computed dictionaries of SHA1 digests and other brute-force techniques. It is also possible that an attack may break the encryption without discovering the password itself. All of these attacks are believed to required great effort. In general, one should expect that a password used in Save with Password is not discoverable unless it is carelessly chosen or heavily reused. The harder the password is to attack, the harder it is to recover, of course. In contrast, all of the protection settings are insecure. The protections are trivial to remove. It can be done by any knowledgeable user with a Zip utility and an XML editor. It is not necessary to know the password to remove the protection. However, all passwords used in making protection settings should be considered compromised. That is because the document stores an SHA1 or other unsalted hash in plain view in the document. These hashes are cracked with ease using conventional systems. A password used to set a protection should not be used for any more-private purpose. In particular, if the same passwords are used for protections on unencrypted documents and for saving with password (encryption), the encryption can be broken directly using the SHA1 digest from the protection setting. Protection settings are on spreadsheet fields and sheets. There are protection settings on text as well. The protection against altering change-tracking and the protection for keeping a document read-only are all of this kind. The protection is useful for avoiding mistaken alterations. It is easy for all of these protections to be removed, the document altered, and the protections restored with the very same unlocking password without ever having to know the password. A digital signature can prevent the document from undetected alterations, but that doesn't work for turnaround documents where some alterations are meant to be allowed. There is more explanation of the use and risk of protections, and their removal, here: https://tools.oasis-open.org/version-control/svn/oic/Advisories/9-ProtectionKeySafety/trunk/description.html A proposal for more-reliable security of protection passwords (but not the protections themselves) is before the OASIS ODF TC: https://www.oasis-open.org/committees/document.php?document_id=46220. - Dennis -Original Message- From: Dr. R. O Stapf [mailto:reinh...@stapf-online.com] Sent: Tuesday, October 16, 2012 06:30 To: users@global.libreoffice.org Subject: Re: [libreoffice-users] Re: how to crack a PW in LO? you are perfectly right about this!!! On 16.10.2012 22:22, Andrew Douglas Pitonyak wrote: Unless you have a lot of time to kill (days, weeks, months, etc), you are much better off not forgetting your password. -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] Re: how to crack a PW in LO?
Hi :) Brilliant!! Ahhh, just thought of a problem. Was it xls or xlsX? If it has an X at the end then just rename the file to replace .xlsx with .zip and then double-click on it. Can the xml files be pulled into a new file without pulling the password along at the same time? Regards from Tom :) From: Dennis E. Hamilton dennis.hamil...@acm.org To: 'Dr. R. O Stapf' reinh...@stapf-online.com; users@global.libreoffice.org Sent: Tuesday, 16 October 2012, 14:34 Subject: RE: [libreoffice-users] Re: how to crack a PW in LO? It is important to separate the use of passwords to set protections from use of a password to encrypt the document. Only Save with Password provides cryptographic security of the document. The Save with Password encryption is difficult to attack. The password is usually the weakest point and the password may fall to a variety of attacks that use pre-computed dictionaries of SHA1 digests and other brute-force techniques. It is also possible that an attack may break the encryption without discovering the password itself. All of these attacks are believed to required great effort. In general, one should expect that a password used in Save with Password is not discoverable unless it is carelessly chosen or heavily reused. The harder the password is to attack, the harder it is to recover, of course. In contrast, all of the protection settings are insecure. The protections are trivial to remove. It can be done by any knowledgeable user with a Zip utility and an XML editor. It is not necessary to know the password to remove the protection. However, all passwords used in making protection settings should be considered compromised. That is because the document stores an SHA1 or other unsalted hash in plain view in the document. These hashes are cracked with ease using conventional systems. A password used to set a protection should not be used for any more-private purpose. In particular, if the same passwords are used for protections on unencrypted documents and for saving with password (encryption), the encryption can be broken directly using the SHA1 digest from the protection setting. Protection settings are on spreadsheet fields and sheets. There are protection settings on text as well. The protection against altering change-tracking and the protection for keeping a document read-only are all of this kind. The protection is useful for avoiding mistaken alterations. It is easy for all of these protections to be removed, the document altered, and the protections restored with the very same unlocking password without ever having to know the password. A digital signature can prevent the document from undetected alterations, but that doesn't work for turnaround documents where some alterations are meant to be allowed. There is more explanation of the use and risk of protections, and their removal, here: https://tools.oasis-open.org/version-control/svn/oic/Advisories/9-ProtectionKeySafety/trunk/description.html A proposal for more-reliable security of protection passwords (but not the protections themselves) is before the OASIS ODF TC: https://www.oasis-open.org/committees/document.php?document_id=46220. - Dennis -Original Message- From: Dr. R. O Stapf [mailto:reinh...@stapf-online.com] Sent: Tuesday, October 16, 2012 06:30 To: users@global.libreoffice.org Subject: Re: [libreoffice-users] Re: how to crack a PW in LO? you are perfectly right about this!!! On 16.10.2012 22:22, Andrew Douglas Pitonyak wrote: Unless you have a lot of time to kill (days, weeks, months, etc), you are much better off not forgetting your password. -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
RE: [libreoffice-users] Re: how to crack a PW in LO?
Some protections are preserved in conversions between Office binaries and OpenOffice. But the protections in OOXML have digital hashes that are computed differently than those in ODF. They are not inter-convertible. Since the implementations tend to drop those protections in either direction, there is an easy round-trip technique to over-ride protections (but not encryption). Of course, there may be other incompatibilities that can have the result be undesirable. - Dennis PS: To preserve the protection, you'd either have to recover the password and rehash, or ask the user for the password as part of the conversion so it could be rehashed. There are conceivable extensions in the implementation of ODF that could facilitate protection preservation, but it might not be worth the effort considering that the protections don't really protect anything [;). -Original Message- From: Tom Davies [mailto:tomdavie...@yahoo.co.uk] Sent: Tuesday, October 16, 2012 08:21 To: dennis.hamil...@acm.org; 'Dr. R. O Stapf'; users@global.libreoffice.org Subject: Re: [libreoffice-users] Re: how to crack a PW in LO? Hi :) Brilliant!! Ahhh, just thought of a problem. Was it xls or xlsX? If it has an X at the end then just rename the file to replace .xlsx with .zip and then double-click on it. Can the xml files be pulled into a new file without pulling the password along at the same time? Regards from Tom :) From: Dennis E. Hamilton dennis.hamil...@acm.org To: 'Dr. R. O Stapf' reinh...@stapf-online.com; users@global.libreoffice.org Sent: Tuesday, 16 October 2012, 14:34 Subject: RE: [libreoffice-users] Re: how to crack a PW in LO? It is important to separate the use of passwords to set protections from use of a password to encrypt the document. Only Save with Password provides cryptographic security of the document. The Save with Password encryption is difficult to attack. The password is usually the weakest point and the password may fall to a variety of attacks that use pre-computed dictionaries of SHA1 digests and other brute-force techniques. It is also possible that an attack may break the encryption without discovering the password itself. All of these attacks are believed to required great effort. In general, one should expect that a password used in Save with Password is not discoverable unless it is carelessly chosen or heavily reused. The harder the password is to attack, the harder it is to recover, of course. In contrast, all of the protection settings are insecure. The protections are trivial to remove. It can be done by any knowledgeable user with a Zip utility and an XML editor. It is not necessary to know the password to remove the protection. However, all passwords used in making protection settings should be considered compromised. That is because the document stores an SHA1 or other unsalted hash in plain view in the document. These hashes are cracked with ease using conventional systems. A password used to set a protection should not be used for any more-private purpose. In particular, if the same passwords are used for protections on unencrypted documents and for saving with password (encryption), the encryption can be broken directly using the SHA1 digest from the protection setting. Protection settings are on spreadsheet fields and sheets. There are protection settings on text as well. The protection against altering change-tracking and the protection for keeping a document read-only are all of this kind. The protection is useful for avoiding mistaken alterations. It is easy for all of these protections to be removed, the document altered, and the protections restored with the very same unlocking password without ever having to know the password. A digital signature can prevent the document from undetected alterations, but that doesn't work for turnaround documents where some alterations are meant to be allowed. There is more explanation of the use and risk of protections, and their removal, here: https://tools.oasis-open.org/version-control/svn/oic/Advisories/9-ProtectionKeySafety/trunk/description.html A proposal for more-reliable security of protection passwords (but not the protections themselves) is before the OASIS ODF TC: https://www.oasis-open.org/committees/document.php?document_id=46220. - Dennis -Original Message- From: Dr. R. O Stapf [mailto:reinh...@stapf-online.com] Sent: Tuesday, October 16, 2012 06:30 To: users@global.libreoffice.org Subject: Re: [libreoffice-users] Re: how to crack a PW in LO? you are perfectly right about this!!! On 16.10.2012 22:22, Andrew Douglas Pitonyak wrote: Unless you have a lot of time to kill (days, weeks, months, etc), you are much better off not forgetting your password. -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems?
RE: [libreoffice-users] Re: how to crack a PW in LO?
I don't understand the XML question. In ODT and ODS, the protection keys are in the content.xml and settings.xml files. You can just delete the settings.xml to get rid of those protections (read-only and change-tracking). For the protection locks in the content.xml, you need to edit the xml. The web page on Safe Use of Protection sketches one approach at the end. For OOXML (.xlsx), the structure of the files is more complicated and I have not done the work to figure out how to hunt down and defeat the protections there. The simple approach is to simply try a cross-product transfer. Open the .xslx in LO; open the .ods in Microsoft Office. -Original Message- From: Tom Davies [mailto:tomdavie...@yahoo.co.uk] Sent: Tuesday, October 16, 2012 08:21 To: dennis.hamil...@acm.org; 'Dr. R. O Stapf'; users@global.libreoffice.org Subject: Re: [libreoffice-users] Re: how to crack a PW in LO? Hi :) Brilliant!! Ahhh, just thought of a problem. Was it xls or xlsX? If it has an X at the end then just rename the file to replace .xlsx with .zip and then double-click on it. Can the xml files be pulled into a new file without pulling the password along at the same time? Regards from Tom :) [ ... ] -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] Re: how to crack a PW in LO?
Hi :) I think the intention at this point is just to get rid of the password protection and open the file, or at least the data in the file. Protecting it again is for another day! Regards from Tom :) From: Dennis E. Hamilton dennis.hamil...@acm.org To: 'Tom Davies' tomdavie...@yahoo.co.uk; 'Dr. R. O Stapf' reinh...@stapf-online.com; users@global.libreoffice.org Sent: Tuesday, 16 October 2012, 15:37 Subject: RE: [libreoffice-users] Re: how to crack a PW in LO? Some protections are preserved in conversions between Office binaries and OpenOffice. But the protections in OOXML have digital hashes that are computed differently than those in ODF. They are not inter-convertible. Since the implementations tend to drop those protections in either direction, there is an easy round-trip technique to over-ride protections (but not encryption). Of course, there may be other incompatibilities that can have the result be undesirable. - Dennis PS: To preserve the protection, you'd either have to recover the password and rehash, or ask the user for the password as part of the conversion so it could be rehashed. There are conceivable extensions in the implementation of ODF that could facilitate protection preservation, but it might not be worth the effort considering that the protections don't really protect anything [;). -Original Message- From: Tom Davies [mailto:tomdavie...@yahoo.co.uk] Sent: Tuesday, October 16, 2012 08:21 To: dennis.hamil...@acm.org; 'Dr. R. O Stapf'; users@global.libreoffice.org Subject: Re: [libreoffice-users] Re: how to crack a PW in LO? Hi :) Brilliant!! Ahhh, just thought of a problem. Was it xls or xlsX? If it has an X at the end then just rename the file to replace .xlsx with .zip and then double-click on it. Can the xml files be pulled into a new file without pulling the password along at the same time? Regards from Tom :) From: Dennis E. Hamilton dennis.hamil...@acm.org To: 'Dr. R. O Stapf' reinh...@stapf-online.com; users@global.libreoffice.org Sent: Tuesday, 16 October 2012, 14:34 Subject: RE: [libreoffice-users] Re: how to crack a PW in LO? It is important to separate the use of passwords to set protections from use of a password to encrypt the document. Only Save with Password provides cryptographic security of the document. The Save with Password encryption is difficult to attack. The password is usually the weakest point and the password may fall to a variety of attacks that use pre-computed dictionaries of SHA1 digests and other brute-force techniques. It is also possible that an attack may break the encryption without discovering the password itself. All of these attacks are believed to required great effort. In general, one should expect that a password used in Save with Password is not discoverable unless it is carelessly chosen or heavily reused. The harder the password is to attack, the harder it is to recover, of course. In contrast, all of the protection settings are insecure. The protections are trivial to remove. It can be done by any knowledgeable user with a Zip utility and an XML editor. It is not necessary to know the password to remove the protection. However, all passwords used in making protection settings should be considered compromised. That is because the document stores an SHA1 or other unsalted hash in plain view in the document. These hashes are cracked with ease using conventional systems. A password used to set a protection should not be used for any more-private purpose. In particular, if the same passwords are used for protections on unencrypted documents and for saving with password (encryption), the encryption can be broken directly using the SHA1 digest from the protection setting. Protection settings are on spreadsheet fields and sheets. There are protection settings on text as well. The protection against altering change-tracking and the protection for keeping a document read-only are all of this kind. The protection is useful for avoiding mistaken alterations. It is easy for all of these protections to be removed, the document altered, and the protections restored with the very same unlocking password without ever having to know the password. A digital signature can prevent the document from undetected alterations, but that doesn't work for turnaround documents where some alterations are meant to be allowed. There is more explanation of the use and risk of protections, and their removal, here: https://tools.oasis-open.org/version-control/svn/oic/Advisories/9-ProtectionKeySafety/trunk/description.html A proposal for more-reliable security of protection passwords (but not the protections themselves) is before the OASIS ODF TC: https://www.oasis-open.org/committees/document.php?document_id=46220. - Dennis -Original Message- From: Dr. R. O Stapf
Re: [libreoffice-users] Re: how to crack a PW in LO?
I attended last week a seminar on the the legal situation with social networks. The presenting US lawyer mentioned that even in the US asking for FB passwords is illegal. On 16.10.2012 22:59, Jay Lozier wrote: Anyone asking for my Facebook password in a job interview is out of luck; I do not know it because I use a password manager and each password I use is generated per account -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] Re: how to crack a PW in LO?
yes, it's due to the privacy laws. On Tue, Oct 16, 2012 at 8:12 PM, rost52 bugquestcon...@online.de wrote: I attended last week a seminar on the the legal situation with social networks. The presenting US lawyer mentioned that even in the US asking for FB passwords is illegal. On 16.10.2012 22:59, Jay Lozier wrote: Anyone asking for my Facebook password in a job interview is out of luck; I do not know it because I use a password manager and each password I use is generated per account -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] Re: how to crack a PW in LO?
Dennis, When I am reading your long and excellent explanation, I wonder again how some PW removing tools, which offer a demo with opening the file or showing the PW removed, can claim that the file could be open within a few seconds to a minute? On 16.10.2012 23:34, Dennis E. Hamilton wrote: It is important to separate the use of passwords to set protections from use of a password to encrypt the document. Only Save with Password provides cryptographic security of the document. The Save with Password encryption is difficult to attack. The password is usually the weakest point and the password may fall to a variety of attacks that use pre-computed dictionaries of SHA1 digests and other brute-force techniques. It is also possible that an attack may break the encryption without discovering the password itself. All of these attacks are believed to required great effort. In general, one should expect that a password used in Save with Password is not discoverable unless it is carelessly chosen or heavily reused. The harder the password is to attack, the harder it is to recover, of course. In contrast, all of the protection settings are insecure. The protections are trivial to remove. It can be done by any knowledgeable user with a Zip utility and an XML editor. It is not necessary to know the password to remove the protection. However, all passwords used in making protection settings should be considered compromised. That is because the document stores an SHA1 or other unsalted hash in plain view in the document. These hashes are cracked with ease using conventional systems. A password used to set a protection should not be used for any more-private purpose. In particular, if the same passwords are used for protections on unencrypted documents and for saving with password (encryption), the encryption can be broken directly using the SHA1 digest from the protection setting. Protection settings are on spreadsheet fields and sheets. There are protection settings on text as well. The protection against altering change-tracking and the protection for keeping a document read-only are all of this kind. The protection is useful for avoiding mistaken alterations. It is easy for all of these protections to be removed, the document altered, and the protections restored with the very same unlocking password without ever having to know the password. A digital signature can prevent the document from undetected alterations, but that doesn't work for turnaround documents where some alterations are meant to be allowed. There is more explanation of the use and risk of protections, and their removal, here: https://tools.oasis-open.org/version-control/svn/oic/Advisories/9-ProtectionKeySafety/trunk/description.html A proposal for more-reliable security of protection passwords (but not the protections themselves) is before the OASIS ODF TC: https://www.oasis-open.org/committees/document.php?document_id=46220. - Dennis -Original Message- From: Dr. R. O Stapf [mailto:reinh...@stapf-online.com] Sent: Tuesday, October 16, 2012 06:30 To: users@global.libreoffice.org Subject: Re: [libreoffice-users] Re: how to crack a PW in LO? you are perfectly right about this!!! On 16.10.2012 22:22, Andrew Douglas Pitonyak wrote: Unless you have a lot of time to kill (days, weeks, months, etc), you are much better off not forgetting your password. -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] Re: how to crack a PW in LO?
On 10/16/2012 09:12 PM, rost52 wrote: I attended last week a seminar on the the legal situation with social networks. The presenting US lawyer mentioned that even in the US asking for FB passwords is illegal. On 16.10.2012 22:59, Jay Lozier wrote: Anyone asking for my Facebook password in a job interview is out of luck; I do not know it because I use a password manager and each password I use is generated per account It has not stopped people from asking in a job interview. In most US states it is no explicitly illegal nor is it explicitly illegal in US Federal law. A couple of counter arguments would be: Do you really want me to violate my contract with Facebook?, or Do you realize you are asking me to violate one the most basic tenets of computer security; never reveal your log in credentials to anyone? The first implies that they will ask you to potentially violate a contract or, worse, the law. The second implies they are stupid and are very cavalier about protecting corporate assets. Under US labor law asking the question potentially allows the employer to find out information that they can not legally ask in an interview. This is the primary legal challenge to the question that is an implicit illegal question by the employer. I can truthfully say I do not know my Facebook or virtually any other password because I use a password manager to generate and store them. And I am not in the habit of carrying the file and the manager around on a USB stick. -- Jay Lozier jsloz...@gmail.com -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
RE: [libreoffice-users] Re: how to crack a PW in LO?
If you're talking about files with protections, minutes is on the long side. It is trivial to remove protections. If you're talking about Libre Office files created by Save As ... | Save with Password options, I would like to know who is claiming they can do that in any reasonable time. There are some older forms of Microsoft Word save with password that are easy to crack. Not newer ones though. Although I have concerns about the quality of the encryption used in ODF documents (what Save As ... | Save with Password uses), I don't think you're going to find any commodity software that is able to crack those in any feasible time period. If there is, that needs to be widely known. Care to share any links? - Dennis -Original Message- From: rost52 [mailto:bugquestcon...@online.de] Sent: Tuesday, October 16, 2012 19:07 To: dennis.hamil...@acm.org Cc: users@global.libreoffice.org Subject: Re: [libreoffice-users] Re: how to crack a PW in LO? Dennis, When I am reading your long and excellent explanation, I wonder again how some PW removing tools, which offer a demo with opening the file or showing the PW removed, can claim that the file could be open within a few seconds to a minute? [ ... ] -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] Re: how to crack a PW in LO?
On 10/16/2012 10:07 PM, rost52 wrote: Dennis, When I am reading your long and excellent explanation, I wonder again how some PW removing tools, which offer a demo with opening the file or showing the PW removed, can claim that the file could be open within a few seconds to a minute? I vaguely remember that there were some versions of MS Office that encrypted using methods that where trivial to crack (ie, minutes). Perhaps it is related to that. -- Andrew Pitonyak My Macro Document: http://www.pitonyak.org/AndrewMacro.odt Info: http://www.pitonyak.org/oo.php -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
[libreoffice-users] Re: how to crack a PW in LO?
Am 15.10.2012 15:49, rost52 wrote: LO files can be protected with PWs when doing save as. Fighting currently with an xls file and its lost PW, I wonder how LO files can be cracked? Can the MS related PW remover be used for LO as well? Thanks in advance for comments. xls does not encript your document. The only thing that gets encrypted is the password. Any old version of OpenOffice.org opens a password protected xls ignoring the password. -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] Re: how to crack a PW in LO?
On 15.10.2012 23:11, Andreas Säger wrote: Am 15.10.2012 15:49, rost52 wrote: LO files can be protected with PWs when doing save as. Fighting currently with an xls file and its lost PW, I wonder how LO files can be cracked? Can the MS related PW remover be used for LO as well? Thanks in advance for comments. xls does not encript your document. The only thing that gets encrypted is the password. Any old version of OpenOffice.org opens a password protected xls ignoring the password. Thanks for the information. It seems that my version of LO 3.5.6.2 is too young to ignore the PW of an xls file. However, my question was how to open an LO file if the PW get forgotten (not and MS file)? Hints are welcome for the future. -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
[libreoffice-users] Re: how to crack a PW in LO?
Am 15.10.2012 16:30, Dr. R. O Stapf wrote: However, my question was how to open an LO file if the PW get forgotten (not and MS file)? Hints are welcome for the future. There is no way to open encrypted ODF other than a brute force script working through a list of possible passwords. -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] Re: how to crack a PW in LO?
gvfe ..dtnd e eeir2 Sent from my MetroPCS Android Device Andreas Säger ville...@t-online.de wrote: Am 15.10.2012 15:49, rost52 wrote: LO files can be protected with PWs when doing save as. Fighting currently with an xls file and its lost PW, I wonder how LO files can be cracked? Can the MS related PW remover be used for LO as well? Thanks in advance for comments. xls does not encript your document. The only thing that gets encrypted is the password. Any old version of OpenOffice.org opens a password protected xls ignoring the password. -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] Re: how to crack a PW in LO?
Le 15/10/2012 16:30, Dr. R. O Stapf a écrit : [...] However, my question was how to open an LO file if the PW get forgotten (not and MS file)? Hints are welcome for the future. Buy a super-computer, launch a brute force algorithm and pray that the password is a short word from the standard English vocabulary. Best regards. JBF -- Seuls des formats ouverts peuvent assurer la pérennité de vos documents. -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] Re: how to crack a PW in LO?
On 15.10.2012 23:46, Jean-Baptiste Faure wrote: Le 15/10/2012 16:30, Dr. R. O Stapf a écrit : [...] However, my question was how to open an LO file if the PW get forgotten (not and MS file)? Hints are welcome for the future. Buy a super-computer, launch a brute force algorithm and pray that the password is a short word from the standard English vocabulary. Best regards. JBF Thanks to JBF and Andreas for their hints. As I have a little program which makes brute force approach I will run a test to see if this is possible with PW protected LO files. -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] Re: how to crack a PW in LO?
On 10/15/2012 12:00 PM, Dr. R. O Stapf wrote: On 15.10.2012 23:46, Jean-Baptiste Faure wrote: Le 15/10/2012 16:30, Dr. R. O Stapf a écrit : [...] However, my question was how to open an LO file if the PW get forgotten (not and MS file)? Hints are welcome for the future. Buy a super-computer, launch a brute force algorithm and pray that the password is a short word from the standard English vocabulary. Best regards. JBF Thanks to JBF and Andreas for their hints. As I have a little program which makes brute force approach I will run a test to see if this is possible with PW protected LO files. For future reference, if you have to create a password protected document [for viewing or editing] make sure you use one that will not be forgotten or WRITE IT DOWN somewhere and save it in your filing cabinet. At one computer center I worked, they taped the needed passwords on the back of the keyboard. You needed a door key to get into the place, so the passwords were protected, but that way all the personnel will be able to access the needed systems and not forget the needed passwords. I use a list of about a dozen passwords. So if I forget which one I used, I just go down the mental list till I get the one I used for that application or document. -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] Re: how to crack a PW in LO?
Hi :) I apply an algorithm to the name of whatever it is that i am doing and then apply a series of standard characters at set locations. The set of characters and their locations depends on which of 3 categories the thing fits into 1. Something i really don't want to have cracked, such as my bank, in which case i try to use the longest relevant 'name' 2. Something that it would be good not to get cracked but not really too fussed about 3. Something that i wouldn't care about sharing the password with pretty much anyone LO and most of my work passwords fall into the 3rd. One at work falls into the 1st. So, i don't need to write anything down anywhere but do tend to lose track of which sites and stuff i do have passwords for and which i might need to register at. Usually i just try out the password i would use and if i don't get in then i try to register (or give up) Regards from Tom :) --- On Mon, 15/10/12, webmaster-Kracked_P_P webmas...@krackedpress.com wrote: From: webmaster-Kracked_P_P webmas...@krackedpress.com Subject: Re: [libreoffice-users] Re: how to crack a PW in LO? To: users@global.libreoffice.org Date: Monday, 15 October, 2012, 17:29 On 10/15/2012 12:00 PM, Dr. R. O Stapf wrote: On 15.10.2012 23:46, Jean-Baptiste Faure wrote: Le 15/10/2012 16:30, Dr. R. O Stapf a écrit : [...] However, my question was how to open an LO file if the PW get forgotten (not and MS file)? Hints are welcome for the future. Buy a super-computer, launch a brute force algorithm and pray that the password is a short word from the standard English vocabulary. Best regards. JBF Thanks to JBF and Andreas for their hints. As I have a little program which makes brute force approach I will run a test to see if this is possible with PW protected LO files. For future reference, if you have to create a password protected document [for viewing or editing] make sure you use one that will not be forgotten or WRITE IT DOWN somewhere and save it in your filing cabinet. At one computer center I worked, they taped the needed passwords on the back of the keyboard. You needed a door key to get into the place, so the passwords were protected, but that way all the personnel will be able to access the needed systems and not forget the needed passwords. I use a list of about a dozen passwords. So if I forget which one I used, I just go down the mental list till I get the one I used for that application or document. -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] Re: how to crack a PW in LO?
On Mon, Oct 15, 2012 at 7:30 AM, Ledger Consulting t...@theledgerfirm.com wrote: gvfe ..dtnd e eeir2 What? -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] Re: how to crack a PW in LO?
Le 15/10/2012 18:00, Dr. R. O Stapf a écrit : On 15.10.2012 23:46, Jean-Baptiste Faure wrote: Le 15/10/2012 16:30, Dr. R. O Stapf a écrit : [...] However, my question was how to open an LO file if the PW get forgotten (not and MS file)? Hints are welcome for the future. Buy a super-computer, launch a brute force algorithm and pray that the password is a short word from the standard English vocabulary. [...] Thanks to JBF and Andreas for their hints. As I have a little program which makes brute force approach I will run a test to see if this is possible with PW protected LO files. I tried that with a software named password recovery or something like that. It failed to find a 6 characters password in 8 hours on a standard PC. Best regards. JBF -- Seuls des formats ouverts peuvent assurer la pérennité de vos documents. -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] Re: how to crack a PW in LO?
Hi :) Cat on the keyboard? Keys in the pocket? Regards from Tom :) --- On Mon, 15/10/12, Ledger Consulting t...@theledgerfirm.com wrote: From: Ledger Consulting t...@theledgerfirm.com Subject: Re: [libreoffice-users] Re: how to crack a PW in LO? To: ville...@t-online.de, users@global.libreoffice.org Date: Monday, 15 October, 2012, 15:30 gvfe ..dtnd e eeir2 Sent from my MetroPCS Android Device Andreas Säger ville...@t-online.de wrote: Am 15.10.2012 15:49, rost52 wrote: LO files can be protected with PWs when doing save as. Fighting currently with an xls file and its lost PW, I wonder how LO files can be cracked? Can the MS related PW remover be used for LO as well? Thanks in advance for comments. xls does not encript your document. The only thing that gets encrypted is the password. Any old version of OpenOffice.org opens a password protected xls ignoring the password. -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] Re: how to crack a PW in LO?
Hi :) The trick is to try to remember what you might have been thinking about at the time. If that's even possible for anyone! There is no password cracking functionality or Extension for LO it's just the inept way MS fails to implement security. Just double-click on an xls or open LO and drop the xls into it or open LO and choose File - Open to navigate to and open the xls. File opens. My company's finance department asked me to add something to one of their spreadsheets but 'forgot' to tell me the password. One of them rushed down to give me the password but was somewhat mortified to find i had already made the change without having the slightest idea that there even was a password. There was a very cofusing conversation where neither of us had a clue what the other was talking about until i figured it out. The company still uses Excel and still attempts to 'protect' those spreadsheets with passwords that don't work. Occasionally people give me other files they want cracked which gives me a morale dilemma each time. Usually i just give a really half-hearted non-effort and then fob them off. Regards from Tom :) --- On Mon, 15/10/12, Dr. R. O Stapf reinh...@stapf-online.com wrote: From: Dr. R. O Stapf reinh...@stapf-online.com Subject: Re: [libreoffice-users] Re: how to crack a PW in LO? To: users@global.libreoffice.org Date: Monday, 15 October, 2012, 15:30 On 15.10.2012 23:11, Andreas Säger wrote: Am 15.10.2012 15:49, rost52 wrote: LO files can be protected with PWs when doing save as. Fighting currently with an xls file and its lost PW, I wonder how LO files can be cracked? Can the MS related PW remover be used for LO as well? Thanks in advance for comments. xls does not encript your document. The only thing that gets encrypted is the password. Any old version of OpenOffice.org opens a password protected xls ignoring the password. Thanks for the information. It seems that my version of LO 3.5.6.2 is too young to ignore the PW of an xls file. However, my question was how to open an LO file if the PW get forgotten (not and MS file)? Hints are welcome for the future. -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] Re: how to crack a PW in LO?
On 10/15/2012 02:15 PM, Tom Davies wrote: Hi :) Cat on the keyboard? Keys in the pocket? Regards from Tom :) Your cats spell better than mine (LOL) --- On Mon, 15/10/12, Ledger Consulting t...@theledgerfirm.com wrote: From: Ledger Consulting t...@theledgerfirm.com Subject: Re: [libreoffice-users] Re: how to crack a PW in LO? To: ville...@t-online.de, users@global.libreoffice.org Date: Monday, 15 October, 2012, 15:30 gvfe ..dtnd e eeir2 Sent from my MetroPCS Android Device Andreas Säger ville...@t-online.de wrote: Am 15.10.2012 15:49, rost52 wrote: LO files can be protected with PWs when doing save as. Fighting currently with an xls file and its lost PW, I wonder how LO files can be cracked? Can the MS related PW remover be used for LO as well? Thanks in advance for comments. xls does not encript your document. The only thing that gets encrypted is the password. Any old version of OpenOffice.org opens a password protected xls ignoring the password. -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted -- Jay Lozier jsloz...@gmail.com -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] Re: how to crack a PW in LO?
On 16.10.2012 02:14, MR ZenWiz wrote: On Mon, Oct 15, 2012 at 7:30 AM, Ledger Consulting t...@theledgerfirm.com wrote: gvfe ..dtnd e eeir2 What? encrypted message - problem is that I cannot understand it. -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] Re: how to crack a PW in LO?
When my cat was alive, he use to lay on the keyboard and not move. He wanted the attention I gave the computer, since he was not getting it. I am not going to tell you how many time he messed thing up for me when he did that. He use to lay down on, or sit on, the closed laptop just to tell me what he thought of it getting all his attention he should be getting and was not. I just has to call my cell phone, a few minutes ago, to find where I put it down to. Of course it was hiding in plain site, and in its new case I just got on Saturday. Sometimes, no matter what we do, we can forget the important or loose things in plain site. The same goes for passwords. I bet it is something simple you would think to use but your mind refuses to remember. I was thinking about needing to remember to web search a TV series title last night just after I turned the light out. I should have written it down, since I cannot remember what it was at all this morning and all day today. When I do not want to know what it is, then I MAY remember it, if it is not lost forever. Hopefully you will have more luck than I have with remembering such things. That is why I have a list of passwords I use, with some that I just use if there is a need for one but not a need to keep it from getting out. pumpkin is the style of such a password. Actually I love to use characters in stories I use to write when I was in school and needed something to relay me. On 10/15/2012 03:20 PM, Jay Lozier wrote: On 10/15/2012 02:15 PM, Tom Davies wrote: Hi :) Cat on the keyboard? Keys in the pocket? Regards from Tom :) Your cats spell better than mine (LOL) --- On Mon, 15/10/12, Ledger Consulting t...@theledgerfirm.com wrote: From: Ledger Consulting t...@theledgerfirm.com Subject: Re: [libreoffice-users] Re: how to crack a PW in LO? To: ville...@t-online.de, users@global.libreoffice.org Date: Monday, 15 October, 2012, 15:30 gvfe ..dtnd e eeir2 Sent from my MetroPCS Android Device Andreas Säger ville...@t-online.de wrote: Am 15.10.2012 15:49, rost52 wrote: LO files can be protected with PWs when doing save as. Fighting currently with an xls file and its lost PW, I wonder how LO files can be cracked? Can the MS related PW remover be used for LO as well? Thanks in advance for comments. xls does not encript your document. The only thing that gets encrypted is the password. Any old version of OpenOffice.org opens a password protected xls ignoring the password. -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] Re: how to crack a PW in LO?
On 16.10.2012 03:32, Tom Davies wrote: Hi :) The trick is to try to remember what you might have been thinking about at the time. If that's even possible for anyone! There is no password cracking functionality or Extension for LO it's just the inept way MS fails to implement security. Just double-click on an xls or open LO and drop the xls into it or open LO and choose File - Open to navigate to and open the xls. File opens. My company's finance department asked me to add something to one of their spreadsheets but 'forgot' to tell me the password. One of them rushed down to give me the password but was somewhat mortified to find i had already made the change without having the slightest idea that there even was a password. There was a very cofusing conversation where neither of us had a clue what the other was talking about until i figured it out. The company still uses Excel and still attempts to 'protect' those spreadsheets with passwords that don't work. Occasionally people give me other files they want cracked which gives me a morale dilemma each time. Usually i just give a really half-hearted non-effort and then fob them off. Regards from Tom :) --- On Mon, 15/10/12, Dr. R. O Stapf reinh...@stapf-online.com wrote: From: Dr. R. O Stapf reinh...@stapf-online.com Subject: Re: [libreoffice-users] Re: how to crack a PW in LO? To: users@global.libreoffice.org Date: Monday, 15 October, 2012, 15:30 On 15.10.2012 23:11, Andreas Säger wrote: Am 15.10.2012 15:49, rost52 wrote: LO files can be protected with PWs when doing save as. Fighting currently with an xls file and its lost PW, I wonder how LO files can be cracked? Can the MS related PW remover be used for LO as well? Thanks in advance for comments. xls does not encript your document. The only thing that gets encrypted is the password. Any old version of OpenOffice.org opens a password protected xls ignoring the password. Thanks for the information. It seems that my version of LO 3.5.6.2 is too young to ignore the PW of an xls file. However, my question was how to open an LO file if the PW get forgotten (not and MS file)? Hints are welcome for the future. Thanks to all of you providing me with lots of hints on not to forget passwords or prepare in advance for it. The SW I am using to crack an xls-file runs already for more than 60 h in the background. It's a nothing to loose only to win job. 6 or 8 digits alphanumeric no special characters is the PW used. Thereafter I will make a test cracking an LO file. The only thing which makes me wonder is that there are PW removing SW commercially availabe which run demos and claim within 10 - 30 sec they could remove the PW but open the xls file only when I purchase a full license. Does someone has experience with such a SW? -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] Re: how to crack a PW in LO?
I used the following: http://www.crackpdf.com/ but not the Pro version which allows to make brute force attack, but then, they warn you that it will take _a_long_time_ !!! To remove simple protections, it was really fast, but they unlock the file without retrieving the password (or at least they don't display it) Reards, Jean-Louis On 16/10/2012 00:23, Dr. R. O Stapf wrote: On 16.10.2012 03:32, Tom Davies wrote: Hi :) The trick is to try to remember what you might have been thinking about at the time. If that's even possible for anyone! There is no password cracking functionality or Extension for LO it's just the inept way MS fails to implement security. Just double-click on an xls or open LO and drop the xls into it or open LO and choose File - Open to navigate to and open the xls. File opens. My company's finance department asked me to add something to one of their spreadsheets but 'forgot' to tell me the password. One of them rushed down to give me the password but was somewhat mortified to find i had already made the change without having the slightest idea that there even was a password. There was a very cofusing conversation where neither of us had a clue what the other was talking about until i figured it out. The company still uses Excel and still attempts to 'protect' those spreadsheets with passwords that don't work. Occasionally people give me other files they want cracked which gives me a morale dilemma each time. Usually i just give a really half-hearted non-effort and then fob them off. Regards from Tom :) --- On Mon, 15/10/12, Dr. R. O Stapf reinh...@stapf-online.com wrote: From: Dr. R. O Stapf reinh...@stapf-online.com Subject: Re: [libreoffice-users] Re: how to crack a PW in LO? To: users@global.libreoffice.org Date: Monday, 15 October, 2012, 15:30 On 15.10.2012 23:11, Andreas Säger wrote: Am 15.10.2012 15:49, rost52 wrote: LO files can be protected with PWs when doing save as. Fighting currently with an xls file and its lost PW, I wonder how LO files can be cracked? Can the MS related PW remover be used for LO as well? Thanks in advance for comments. xls does not encript your document. The only thing that gets encrypted is the password. Any old version of OpenOffice.org opens a password protected xls ignoring the password. Thanks for the information. It seems that my version of LO 3.5.6.2 is too young to ignore the PW of an xls file. However, my question was how to open an LO file if the PW get forgotten (not and MS file)? Hints are welcome for the future. Thanks to all of you providing me with lots of hints on not to forget passwords or prepare in advance for it. The SW I am using to crack an xls-file runs already for more than 60 h in the background. It's a nothing to loose only to win job. 6 or 8 digits alphanumeric no special characters is the PW used. Thereafter I will make a test cracking an LO file. The only thing which makes me wonder is that there are PW removing SW commercially availabe which run demos and claim within 10 - 30 sec they could remove the PW but open the xls file only when I purchase a full license. Does someone has experience with such a SW? -- Jean-Louis Oneto email: jl.on...@free.fr -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] Re: how to crack a PW in LO?
On 16.10.2012 09:40, Jean-Louis Oneto wrote: I used the following: http://www.crackpdf.com/ but not the Pro version which allows to make brute force attack, but then, they warn you that it will take _a_long_time_ !!! To remove simple protections, it was really fast, but they unlock the file without retrieving the password (or at least they don't display it) Reards, Jean-Louis Jean-Louis, thanks for the hint and link! -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted