|Patrick Durusau||Nov 27, 2006 4:51 pm|
|David Faure||Nov 28, 2006 1:07 am|
|Daniel Carrera||Nov 28, 2006 1:40 am||.pgp|
|Florian Reuter||Nov 28, 2006 2:32 am|
|Daniel Carrera||Nov 28, 2006 2:51 am||.pgp|
|Dave Pawson||Nov 28, 2006 2:58 am|
|Daniel Carrera||Nov 28, 2006 3:12 am||.pgp|
|Patrick Durusau||Nov 28, 2006 3:30 am|
|Daniel Carrera||Nov 28, 2006 6:29 am||.pgp|
|Patrick Durusau||Nov 28, 2006 6:47 am|
|Daniel Carrera||Nov 28, 2006 6:59 am||.pgp|
|robe...@us.ibm.com||Nov 28, 2006 7:37 am|
|Michael Brauer - Sun Germany - ham02 - Hamburg||Nov 28, 2006 7:42 am|
|Daniel Carrera||Nov 28, 2006 8:16 am||.pgp|
|Patrick Durusau||Nov 28, 2006 11:07 am|
|Daniel Carrera||Nov 29, 2006 1:07 am||.pgp|
|Michael Brauer - Sun Germany - ham02 - Hamburg||Dec 8, 2006 2:50 am|
|Daniel Carrera||Dec 8, 2006 3:54 am||.pgp|
|Michael Brauer - Sun Germany - ham02 - Hamburg||Dec 8, 2006 4:18 am|
|Michael Brauer - Sun Germany - ham02 - Hamburg||Jan 15, 2007 2:24 am|
|Zhi Yu Yue||Jan 15, 2007 6:19 am|
|Michael Brauer - Sun Germany - ham02 - Hamburg||Jan 15, 2007 6:36 am|
|Subject:||Re: [office] Passwords|
|From:||Patrick Durusau (patr...@durusau.net)|
|Date:||Nov 28, 2006 11:07:54 am|
Daniel Carrera wrote:
On Tue, 2006-28-11 at 16:42 +0100, Michael Brauer - Sun Germany - ham02 - Hamburg wrote:
actually, the "password" we are talking about do not belong to a security feature like digital signatures or encryption, but are only passwords that an office application user interface may request before a user may remove the write protection of a text section or table.
For this purpose any hash will do fine since an attacker could always just edit the XML to not require a password, correct?
The hash values we are talking about are only used to encode the password itself.
Am I right to understand that any user could just edit the XML and remove the password protection? If that is the case, then any hash will be only marginally better than plain text.
If the file associations are not editable by the user, limiting opening of the file to the use of an ODF compliant application and they are denied access to a DOS command window (with edit or something similar) it can be made relatively secure.
True, if the file were to be shared outside of such an environment, one would have to rely upon encryption of the entire file for protection.
But it is important to not confuse the standard office OS setup, which is terribly insecure, with the use of ODF in more security minded establishments. If you reboot a computer with one popular OS using another certain OS on CD, I have heard tell you can edit the passwords into the OS itself. Strictly rumor mind you! Physical security is a first step that doesn't get discussed much.
Hope you are having a great day!
-- Patrick Durusau Patr...@Durusau.net Chair, V1 - Text Processing: Office and Publishing Systems Interface Co-Editor, ISO 13250, Topic Maps -- Reference Model Member, Text Encoding Initiative Board of Directors, 2003-2005
Topic Maps: Human, not artificial, intelligence at work!