State of password support.

Massimo_Del_Zotto · December 17, 2013, 3:12pm

Hello mailing list users.
I am currently an OOo user. It's a while I hear about LO, but so far never
got truly disappointed by it so I resisted change.
However, I recently had a problem with OOo password protection. Somehow it
disabled password protection for a file I was working on and it took me a
while to restore it. Asking for help on OOo forum, I have been informed
password protection is somehow considered "unnecessary" by... I don't know
who to be honest.
The important point is that I have been informed of various issues OOo
seems to have with password protection. The forum administrator strongly
suggested me to not use it, and even pointed out a few previous cases in
which password protection caused data loss (!!!).
I think *this is unacceptable *so I started looking more seriously at LO.
Digging the mailing list archives, I noticed there are quite a few messages
regarding password protection. It seems most problem were between keyboard
and chair, the only exception being perhaps an inter-operability problem
after switching to AES-256.

In your experience, how is LO with password protection?

Thank you,
Massimo

Tom_Davies1 · December 17, 2013, 3:34pm

Hi
Hopefully there was just a misunderstanding somewhere there! Password
protection can be useful but only really when used in combination with
other security measures.

There were some problems early on, around 3.3.x maybe up to 3.4.x but
i haven't heard of any problems for years now. Personally i avoid
password protecting files and just keep such files well out of reach
of anyone that wouldn't be authorised to see them. Emails and
usb-sticks make that tricky though!

Early on i noticed that MS Office password-protected files could
easily be opened in LibreOffice. In fact i didn't even realise my
companies finance files were individually password protected until
after i had opened them and the finance director saw i had the file
open and went ashen-faced. I've been told it happens the other way
around too, that LibreOffice or OpenOffice files that are password
protected can be easily opened in MS Office but i've never tried it
out.

Password protection is good to prevent causal accidental intrusion
from polite colleagues but it's not reliable enough on it's own.
Given enough time any password can be cracked. So, password
protection is best when used in combination with other security
measures, such as [shudders] encryption, or just keeping the files out
of reach (if that is at all possible these days).

All security is often at the expense of productivity and security
measures tend to restrict valid personnel from legitimate work rather
than slowing down hackers/crackers. So, take care!

Regards from
Tom

Massimo_Del_Zotto · December 18, 2013, 6:54am

I think I need to better define context.

There's no need to consider inter-operability. It is years I use open
document format only and convert on requirement. Of course this operation
is considered with care.
People interested in choosing a password might have to check
arstechnica.comas they have plenty of information.
I am not asking about the strength of encryption either: the data I'm
currently mangling is more important than others but not so much I need to
make it NSA-proof. BTW, I can tell from experience AES-256 is going to be
enough in many cases. In my case, everything preventing accidental opening
is sufficient, including a ROT4.

So, to state my concerns more clearly,
In your experience, how is stable and trustable are password protected LO
files?

Massimo

Tom_Davies1 · December 18, 2013, 1:31am

Hi
Thought a few people might be interested in these links
http://en.wikipedia.org/wiki/John_the_Ripper

http://xkcd.com/936/

http://www.zdnet.com/blog/security/25-most-used-passwords-revealed-is-yours-one-of-them/12427

So a hugely significant number of people still think that "password"
is an awesomely clever password. How often do you overhear someone on
a phone or a train trying to tell someone what the password is
discretely so that other passengers don't hear it, only to hear them
have to then repeat the password louder and louder and maybe even have
to spell it out letter-by-letter. Weirdly more complex passwords
never seem to need repeating.

Regards from
Tom

pitonyak · December 18, 2013, 2:24pm

However, I recently had a problem with OOo password protection. Somehow it
disabled password protection for a file I was working on and it took me a
while to restore it. Asking for help on OOo forum, I have been informed
password protection is somehow considered "unnecessary" by... I don't know
who to be honest.

You mean recently?As in the latest version of LO has a problem with passwords?

The forum administrator strongly
suggested me to not use it, and even pointed out a few previous cases in
which password protection caused data loss (!!!).

Which forum, do you have a link to the post?

I think *this is unacceptable *so I started looking more seriously at LO.
Digging the mailing list archives, I noticed there are quite a few messages
regarding password protection. It seems most problem were between keyboard
and chair, the only exception being perhaps an inter-operability problem
after switching to AES-256.

In your experience, how is LO with password protection?

Massimo, you seem to be more informed of this than I, but, I am only aware of one (what I consider) real bug that existed with LO and passwords. At one point, I was no longer able to open a password protected file. Specifically, one version of LO was not able to open a password protected file. I am pretty sure it was LO and not AOO anyway.

I believe that I have seen things such as:

1. I forgot my password, how I open my document
2. I am not able to open a password protected document created by MS Office
3. Problems signing a document

I don't ever remember anyone saying that password protection should be dropped. Does not mean that it has not been said. I have seen people pushing to drop the ability to write non-ODF format, but I don't remember anyone advocating no support for passwords.

I have also seen reports of another bug that sometimes causes total data loss of a file, but, since it is not reproducible in any sort of meaningful way, the bug has not been researched.

Eric_Beversluis · December 18, 2013, 2:50pm

I don't know if this is relevant to Massimo's case but it might be:
I had a problem a while back with Fedora 15 (and I don't remember which
version of OO or LO): I would discover that I could open a
password-protected spreadsheet without being prompted for the password.
It turned out that it had something to do with Fed 15 shutting down w/o
prompting to save an open and changed spreadsheet. When restarted, the
spreadsheet would open without password protection. The workaround
seemed to be to do a 'save as' at that point and check 'save with
password'.

More recently this hasn't seemed to be a problem, but I think it has
happened once or twice, though I didn't bother to try to figure out why.

Massimo_Del_Zotto · December 19, 2013, 6:05am

You mean recently?As in the latest version of LO has a problem with
passwords?

No, I am referring to OOo. I am considering to switch to LO because of
this problem and I'm trying to figure out if this problem is considered
more important by LO developers.

Which forum, do you have a link to the post?

This was in the OOo forum,
https://forum.openoffice.org/en/forum/viewtopic.php?f=9&t=65690.
I'm not well aware how the forum admins interact with the OOo developer
base, it looks to me they don't. I'd say this is another problem in itself
but luckly, I'm not really interested in that one.

Massimo, you seem to be more informed of this than I, but, I am only aware
of one (what I consider) real bug that existed with LO and passwords. At
one point, I was no longer able to open a password protected file.
Specifically, one version of LO was not able to open a password protected
file. I am pretty sure it was LO and not AOO anyway.

[...omissis...]

Thank you very much Andrew, this is very informative. I'm currently
inclined to switch to LO.

Massimo

Massimo_Del_Zotto · December 19, 2013, 6:09am

Yes Eric, those problems are surely related as crashes are involved in my
case as well (and I "fixed" it in the same way).
The implication is that temporary saves are not encrypted. Given the modest
size of **usual** files this could probably be done with little performance
loss but after all, this behavior is acceptable in my opinion. Should a
user need more protection, (s)he should likely consider full file-system
crypto.

Massimo

pitonyak · December 20, 2013, 6:20am

Thanks for the link....

2013/12/18 Andrew Douglas Pitonyak <andrew@pitonyak.org <mailto:andrew@pitonyak.org>>

You mean recently?As in the latest version of LO has a problem
with passwords?

No, I am referring to OOo. I am considering to switch to LO because of this problem and I'm trying to figure out if this problem is considered more important by LO developers.

Oh, I had not considered that you were using OOo.

As a side note, I had never considered that any of them did not take passwords seriously.

I don't take any of the volunteer responses as not taking it seriously, just super technical (almost to the point of silly when it is mentioned that while displayed, it is not encrypted in memory .... or something like that).

2013/12/18 Andrew Douglas Pitonyak <andrew@pitonyak.org <mailto:andrew@pitonyak.org>>

Which forum, do you have a link to the post?

This was in the OOo forum, https://forum.openoffice.org/en/forum/viewtopic.php?f=9&t=65690.
I'm not well aware how the forum admins interact with the OOo developer base, it looks to me they don't. I'd say this is another problem in itself but luckly, I'm not really interested in that one.

You will notice that the "forum admins" are all listed as "Volunteer". None of the people in question likely have any official association with OpenOffice. To my knowledge, they are simply people that help by answering questions and they may have some level of moderator capability. In my mind, an Admin has the ability to help with certain "user issues" or in literally maintaining the system.

    Massimo, you seem to be more informed of this than I, but, I am
    only aware of one (what I consider) real bug that existed with LO
    and passwords. At one point, I was no longer able to open a
    password protected file. Specifically, one version of LO was not
    able to open a password protected file. I am pretty sure it was
    LO and not AOO anyway.

    [...omissis...]

Thank you very much Andrew, this is very informative. I'm currently inclined to switch to LO.

I only remember one glitch with respect to passwords, and that was just related to an inability to open anything with a password. They fixed that pretty quickly.

There is some issue related to crashing it seems, but, that is really tough to diagnose and fix. it might even be related to something very difficult to fix even if you do know the problem (like a saved temporary file is stored without encryption). Oh, I see that MaxDZ8 states this.

I think that the real way to obtain a fix for this is to create a test case that is reproducible. something like manually killing OOo while it is running. You will need to do this with a recent copy of LO or AOO rather than with OOo for the bug report to be of any use. It is that reproducible thing that is really tough. If you cannot reproduce it, you are not likely to be able to fix it unless you are very lucky.