The cleartext password is revealed. The cracking process does not depend on the ODF file size, first step of cracking is extracting a password hash from the ODF file.
Am 08.03.2014 09:31, schrieb Rory O'Farrell: > On Sat, 08 Mar 2014 07:46:06 +0100 > Klaus Muth <m...@hagos.de> wrote: > >> Quick update. >> >> Since I was really interested in password security of OpenOffice, Vanessa had >> not much trouble to talk me into giving it a try. So I compiled an MPI >> version of john and started it on my i7-2600 4-core 3.4GHz on 7 CPUs, John >> chose to use the AVX extension (no fancy graphic card - so no NUMA or CUDA) >> >> I had some infos (language + max pw length) from Vanessa. >> >> It took a total of 77h of CPU time in incremental mode (no hit in single shot >> and dictionary mode) to get a 7 character all lower case password with this >> setup. >> >> I was able to send back an unencrypted 433 pages book. >> >> No, I'm not that interested - I won't do that a second time. I provided all >> information needed to do it yourself. > > Thank you for posting this information, Klaus. It gives an idea of the > complexity of the task. Can you please supply some more information: does the > decryption process merely decrypt the target file, or does it as well > announce the password? > > I'm thinking a theoretical situation, where a User has many encrypted files > and has forgotten the only password. Would he need to decrypt them all > individually, or could he choose to decrypt one (small, therefore hopefully > fast) file and recover the password? This is purely a hypothetical question - > I've long since learned never to encrypt a file! > >> >> Am 06.03.2014 15:02, schrieb Klaus Muth: >>> Ok. Tried out. You need: >>> 1. Encrypted OpenDocumentFormat File (i.e. your book) >>> 2. John The Ripper from http://www.openwall.com/john/, I used >>> http://www.openwall.com/john/g/john-1.7.9-jumbo-7.tar.bz2 >>> 3. A Linux System (There is a Windows binary too) >>> >>> - Now Download john, then untar it: >>> tar xvfj john-1.7.9-jumbo-7.tar.bz2 >>> - compile it >>> cd john-1.7.9-jumbo-7/src >>> make clean linux-x86-64-native >>> - test it >>> cd ../run >>> ./john --test >>> - get password hash: >>> ./odf2john.py MyImportantCrypted.odt > passwd >>> - crack password hash >>> ./john passwd >>> >>> In my example it took john 17 seconds to realize that my password was >>> actually 123456 - which is of course the most commonly used password ever >>> and >>> so one of the first tested options: >>> >>> ./john passwd >>> Loaded 1 password hash (ODF SHA-1 Blowfish [32/64]) >>> 123456 (MyImportantCrypted.odt) >>> guesses: 1 time: 0:00:00:17 DONE (Thu Mar 6 14:43:10 2014) c/s: 1132 >>> trying: 123456 >>> >>> You might need some kind of Computer Nerd and some fast hardware to crack >>> your ODF Password, but that might be easy to get compared to writing your >>> book again. >>> >>> Using passwords on the only original of a file is generally a bad idea - you >>> use them to secure a copy you want to send by mail or on a stick. >>> >>> >>> Am 06.03.2014 13:11, schrieb Vanessa Silva: >>>> Hello, >>>> >>>> >>>> i’ve written a book, took me over 200 hours, saved it with open Office >>>> writer and made a Password for it. Then i didn’t use the document in a >>>> while and now i forgot the Password. Please help me, i Need my book back! >>>> Can i send you the document per E-Mail? can you erase dthe Password? >>>> Please, i beg you. I Need it! >>>> >>>> >>>> I’ll wait for your answer. >>>> >>>> >>>> Vanessa Silva >>>> >>>> >>>> >>>> >>>> >>>> >>>> Gesendet von Windows Mail >>>> >>> >>> >>> Freundliche Grüße >>> >> >> >> Freundliche Grüße >> -- >> Klaus Muth >> HAGOS eG Industriestr. 62 fon: (+49) 711 78805-7086 >> EDV-Programmierung 70565 Stuttgart fax: (+49) 711 78805-957035 >> http://www.hagos.de Germany mailto:m...@hagos.de >> >> HAGOS Verbund deutscher Kachelofen- und Luftheizungsbauerbetriebe eG >> Sitz: Stuttgart >> Rechtsform: Genossenschaft >> Registergericht: Stuttgart GnR 77 >> Vorstände: Guido Eichel, Ralf Tigges >> Aufsichtsratsvorsitzender: Thomas Müller >> USt.-ID-Nr.: DE 147799748 >> >> ------------------------------------------- >> List Conduct Guidelines: http://openoffice.apache.org/list-conduct.html >> To unsubscribe, e-mail: users-unsubscr...@openoffice.apache.org >> For additional commands, e-mail: users-h...@openoffice.apache.org >> >> > > Freundliche Grüße -- Klaus Muth HAGOS eG Industriestr. 62 fon: (+49) 711 78805-7086 EDV-Programmierung 70565 Stuttgart fax: (+49) 711 78805-957035 http://www.hagos.de Germany mailto:m...@hagos.de HAGOS Verbund deutscher Kachelofen- und Luftheizungsbauerbetriebe eG Sitz: Stuttgart Rechtsform: Genossenschaft Registergericht: Stuttgart GnR 77 Vorstände: Guido Eichel, Ralf Tigges Aufsichtsratsvorsitzender: Thomas Müller USt.-ID-Nr.: DE 147799748 ------------------------------------------- List Conduct Guidelines: http://openoffice.apache.org/list-conduct.html To unsubscribe, e-mail: users-unsubscr...@openoffice.apache.org For additional commands, e-mail: users-h...@openoffice.apache.org
