Ask Your Question
3

How secure is LibreOffice when using password protect? [closed]

asked 2012-11-05 08:44:11 +0200

anonymous user

Anonymous

First off, I'm just an "average" home user, so I don't know too much - take it easy on me.

I can't find any information about password protecting calc and/or LO text documents. I'm assuming you can, but are they encrypted securely? I don't simply want the ability to set a password if they can be easily cracked. Also, I'm talking about password protecting specific documents/spreadsheets not the office suit itself - don't care to do that.

Stuff you don't need to read: My computer was recently stolen. On that computer I have almost most of my website passwords in a password protected MS Excel spreadsheet (don't worry, sensitive website passwords like banks, amazon.com, hosting, etc.. where put in the spreadsheet in a way only I would understand).

I now have purchased a new computer, but my Office 2010 will not activate. It says I have activated too many times, or some mumbo jumbo; I'm thinking about switching over to either LibreOffice or OpenOffice.

edit retag flag offensive reopen merge delete

Closed for the following reason the question is answered, right answer was accepted by Alex Kemp
close date 2016-03-06 01:37:15.821802

Comments

Stop saving passwords in spreadsheets! To store passwords use 'password manager' program like Keepass: http://keepass.info/ - you set one master password and then save all other passwords. For really secure password let password manager to create a password and then you copy/paste password each time you need to open a file. --- If your PC got stolen, then CHANGE all passwords. You never know how many resources and time user has to crack a password.

froz gravatar imagefroz ( 2013-04-15 14:33:45 +0200 )edit

There is no security in saving any password in LibreOffice. It can easily be removed by editing the content.xml file.

gacb gravatar imagegacb ( 2014-06-29 16:46:37 +0200 )edit

@gacb, how do I downvote your comment? (If only I could) It seems completely and utterly wrong, so long as the person password-protected their LibreOffice document.

eRCaGuy gravatar imageeRCaGuy ( 2019-07-10 01:46:14 +0200 )edit

7 Answers

Sort by » oldest newest most voted
2

answered 2012-11-05 13:05:23 +0200

Jean-Baptiste FAURE gravatar image

updated 2013-11-10 04:55:01 +0200

oweng gravatar image

Interesting recent discussion on the users mailing list:

Subject: How to crack a PW in LO?

start here: http://listarchives.libreoffice.org/global/users/msg24803.html

Conclusion: do not lose the password if you decide to protect a document in ODF format.

edit flag offensive delete link more

Comments

"...do not lose the password if you decide to protect a document in ODF format." - You are absolutely right about this, Jean-Baptist!!! I only lost a password for an EXCEL file.... troubles!!!

ROSt52 gravatar imageROSt52 ( 2012-11-06 08:21:20 +0200 )edit
3

answered 2012-11-05 20:22:23 +0200

cloph gravatar image

updated 2013-11-10 05:02:20 +0200

oweng gravatar image

The algorithm(s) used for the OpenDocument Format are very secure.

blowfish http://en.wikipedia.org/wiki/Blowfish_(cipher) and AES http://en.wikipedia.org/wiki/AES_(cipher) (used by default since LibreOffice 3.5) are both secure. There is no known vulnerability. In other words: the only way to decrypt the document is to supply the correct password.

edit flag offensive delete link more

Comments

Links fixed. Links with brackets evidently need to be left verbatim under AskBot.

oweng gravatar imageoweng ( 2013-11-10 05:04:13 +0200 )edit
0

answered 2014-10-19 22:59:11 +0200

mfurtneyy gravatar image

updated 2014-10-19 23:02:40 +0200

serious encryption loophole:
version 4.3.0.4 on mac os x

Steps to reproduce:

  1. Create a document.
  2. Type something in 24 font or bigger.
  3. Save it in .odt format with password protection.  
  4. Close the document and quit libreOffice.  
  5. Re-open LO. The start center shows a preview thumbnail of the document that was saved as encrypted.  
  6. Panic!!!
  7. Click on this icon to be prompted for the password as expected.
    (but that wall doesn't matter cause your adversary has already seen the image of the secret file.)

this bug has now been fixed as far as I can tell using 4.3.2.2

moral of the story: using encryption is worthless if LO is saving a duplicate image somewhere else.  Be wary of any software that could have bugs that SAVE UNENCRYPTED IMAGES OF ENCRYPTED FILES because it means your data was not being quarantined properly throughout the editing process. I have not yet looked for proof of this, but there could reasonably be other temp(autosave, clipboard, etc) files holding parts of your data.

edit flag offensive delete link more
0

answered 2013-04-15 04:32:12 +0200

ROSt52 gravatar image

In the meantime I cracked the password protected EXCEL file with a small freeware application in less than 5 min, which I found in the Internet. So far I have not found yet a SW which cracks a LibO file.

I general I can say, that security is never 100%. Each password can be cracked if there is enough computing power and speed. Security is never 100 % but with 128 of 256 bit encryption one can achieve a very high security.

edit flag offensive delete link more

Comments

How did you crack the Excel file? Brute-force or some other way? If password is very simple, then brute-force is easy and has nothing to do with strong-weak protected file.

froz gravatar imagefroz ( 2013-04-16 08:31:09 +0200 )edit
0

answered 2013-04-16 12:00:28 +0200

ROSt52 gravatar image

@froz - this is the tool I used (99%)

Free Word / Excel Password Recovery Wizard 2.1.11

Free Word / Excel Password Recovery Wizard offers the same functionality and performance as expensive commercial Word password / Excel password software, but is a completely free ! Make sure that you are using the latest version of this software.

All updates are available from: http://www.freewordexcelpassword.com

Free Password Recovery Software Copyright @ 2003-2012

edit flag offensive delete link more

Comments

sorry for the strange format - I just copied and pasted.

ROSt52 gravatar imageROSt52 ( 2013-04-16 12:01:09 +0200 )edit

On web page: "It works by trying words from a large dictionary (included with the download) against the file..." This is classical brute force attack: http://www.computerhope.com/jargon/b/brutforc.htm There is no software safe against brute force attack, not even LibreOffice. The only somehow good protection is using long and complex passwords that are not in dictionary of most used passwords and need to be tested one after another - this can take several days, weeks, months to get them cracked.

froz gravatar imagefroz ( 2013-04-17 07:57:24 +0200 )edit

(continue) So there is only the resources (and time witch is also a resource) and a will that is needed to crack a password. Some government agencies have a lot of computer power, so protecting against them is almost impossible. As referred by @cloph in this thread, LibreOffice is using strong algorithm. This means that the only real crack of password is brute force attack. On the other hand if there is weak algorithm used for encrypt data, there can be significantly less password try and match

froz gravatar imagefroz ( 2013-04-17 08:14:37 +0200 )edit

(continue) then using brute force attack. Any algorithm to decrypt data that can get to the correct password in less then brute force attack is by cryptology standards taken as broken = weak algorithm. Conclusion: LibreOffice is using strong algorithm, so the only known way to brake a password is using brute force attack. The safety of password protection algorithm is entirely dependent on using strong passwords and of course protecting the file not to get into the hands of non-authorized person

froz gravatar imagefroz ( 2013-04-17 08:21:01 +0200 )edit

(continue) I suggest to use some password manager programs like Keepass: http://keepass.info/ or PasswordSafe (Windows only): http://passwordsafe.sourceforge.net/ to generate safe passwords and then copy/paste password into LibreOffice program to encrypt/decrypt. It all depends how protected the file should be. But there can be several other weaknesses in the system that lets access to the file to non-authorized person - this is not in the scope of LibreOffice protection: firewall, antivirus...

froz gravatar imagefroz ( 2013-04-17 08:28:42 +0200 )edit

Also, it's not a good idea to link to sites that recommend non-free software such as that.

Uglyface200 gravatar imageUglyface200 ( 2013-04-30 16:41:26 +0200 )edit
0

answered 2014-11-10 23:58:03 +0200

Lupp gravatar image

updated 2014-11-11 00:15:15 +0200

To be sure (a warning):

As I understand it the question is also concerning the password protection offered by Calc for every single sheet and for the document internally. This protection is completely independent of the protection offered by the Save Dialogues - and completely different, too.

While saving with a password provides a rather secure encryption the internal protection does not provide even a low level of encryption. It is only of use as far as protection against inadvertent changes and against openly showing formulae e.g. is sufficient. I don't understand any details of the files contained in an .ods container. Nonetheless I just again was successful with cutting out the prorection of one sheet (of 2) and of the document from an example .ods in less than 5 minutes. The example was made with the most recent version V 4.3.3. of Calc.

The only rudiment of actual protection: The internal passwords used are encrypted.

edit flag offensive delete link more
0

answered 2012-11-05 15:07:07 +0200

ROSt52 gravatar image

I initiated the thread "How to crack a PW in LO?# mentioned in the answer of Jean-Baptiste Faure. However I am not yet sure how secured LibO files are. It seems to me that there is no encryption, thus brute force attack can be successful if there is enough time to attack the password.

I am using RightNote from http://www.bauerapps.com/RightNote.html It has a 128-bit encryption and 2 passwords. 128-bit is, as far as I know, currently the industry standard. I added a Calc file into a RightNote file. Works fine and is fast.

Another alternative is an information containing file in a winzip archive with an 256 bit encryption. However, as far as I remember each opening of the winzip archive creates an unprotected copy of the information containing files in the Temp folder.

edit flag offensive delete link more

Comments

2

Re: "there is no encryption," encryption of docs is only as strong as the provided password. If we use AES-256 internally but use 'dog' as the password, we can brute-force the pass trivially. If we use DogsE@tTh1ngsOnTh3Ground as the password, it will be nigh impossible to brute-force it.

qubit gravatar imagequbit ( 2013-01-23 09:19:15 +0200 )edit

Question Tools

1 follower

Stats

Asked: 2012-11-05 08:44:11 +0200

Seen: 58,346 times

Last updated: Nov 11 '14