Here's something more about passwords (not digital signatures) if you are going to take password-based actions with ODF documents: <https://tools.oasis-open.org/version-control/svn/oic/Advisories/00009-ProtectionKeySafety/trunk/description.html>
This message is not about the provision for digital signatures, since that is not password based. However, the encryption is password based and the encryption is not very strong (and that has nothing to do with whether AES or Blowfish are used). Here's more about ways to either not be exposed to password discovery (AUTHZ160) or to use a password based scheme that is harder to use in determining a password (SHA1DK): <https://tools.oasis-open.org/issues/browse/OFFICE-3703>. In case y'all somehow missed it, there has recently been massive successful attacking on passwords for web services. The key problem is that the password itself tends to be vulnerable to discovery by using stolen or disclosed hashes for them. While use of salts helps against opportunistic attacks, it will not deter a determined attacker who can crowd-source an attack using readily available personal computers. In fact, the situation is so bad that the provider of a web service with millions of user accounts can't tell the difference between a prank and an actual hack: <http://orcmid.wordpress.com/2012/06/07/password-security-1-social-engineering-an-sha1-hack/>. - Dennis -----Original Message----- From: Tom Davies [mailto:[email protected]] Sent: Thursday, June 21, 2012 11:20 To: [email protected] Subject: Re: [libreoffice-users] Signing Documents with a personal Certificate Hi :) Leet speak is a fav. Some sites said it was weak, others said it was fairly tough. The length of a poem would radically increase the strength! Even a little verse would be great. Regards from Tom :) --- On Thu, 21/6/12, Marc Grober <[email protected]> wrote: From: Marc Grober <[email protected]> Subject: Re: [libreoffice-users] Signing Documents with a personal Certificate To: [email protected] Date: Thursday, 21 June, 2012, 16:02 Use a phrase from a poem that you like and substitute - like 0s for os On 6/20/12 11:50 PM, Steve Edmonds wrote: > 1 lower case letter, 1 upper case letter, a number, white space and a > misc symbol, a second additional point for having it over 30 characters > and don't include any section of your name, or password or email address > or if it matches a word from the English dictionary. > > Hows an over 50 supposed to remember a password like that!! > > On 2012-06-21 17:47, Marc Grober wrote: >> https://www.cacert.org/index.php?id=1 >> >> On 6/20/12 6:14 PM, James Knott wrote: >>> Marc Grober wrote: >>>> get a cert from CACert.org >>> Hmmm... >>> >>> I just tried going to that site and got this: >>> >>> "This Connection is Untrusted >>> >>> You have asked Firefox to connectsecurely to www.cacert.org, but we >>> can't >>> confirm that your connection is secure. >>> >>> Normally, when you try to connect securely, sites will present trusted >>> identification >>> to prove that you are going to the right place. However, this site's >>> identity can't be >>> verified. >>> >>> >>> >>> What Should I Do? >>> >>> If you usually connect to this site without problems, this error could >>> mean that >>> someone is trying to impersonate the site, and you shouldn't continue." >>> >>> Not good for a certificate site. >>> >> > -- For unsubscribe instructions e-mail to: [email protected] Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted -- For unsubscribe instructions e-mail to: [email protected] Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted -- For unsubscribe instructions e-mail to: [email protected] Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
