Solved

StarOffice Password protected file Help!

Posted on 2009-07-07
2
384 Views
Last Modified: 2012-05-07
I have a close family friend who's husband has just passed away, Ive been helping her gain access to her husbands laptop ect, he was the accountant for the family business, He used Star office version 8, the problem we have is many of his files are password protected.

I have 2 questions

1) How many attempts can the wife have to try and guess the password before she's locked out of the file?
2) Is there any way to hack/bypass these passwords? (3rd party software, a company ect ect)

I would really appreciate your help as the family's bank manager is visiting on Wednesday to go over the health of the business and many of these important financial files are locked.

Thanks in advance

Darren
0
Comment
Question by:D_Mclean
2 Comments
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
ID: 24793443
Ok, from the top.

you can try guessing as many times as you like - there is no magic lockout; but there is also no halfway result, either a guess is correct, or it doesn't work (so if you try I_love_cookies but the password was I_Love_Cookies you won't get in)

there is a commercial crack tool, but it isn't instantaneous - in fact, it can take days or weeks to run.
http://www.intelore.com/openoffice-password-recovery.php

There is also a free tool here:
http://sourceforge.net/projects/ooomacros/files/

which is purely a dictionary tool - you have to give it a list of possible passwords, but it is much faster than trying each one in turn by hand.

staroffice files are very secure indeed. At the base, they are zipfiles - so you can open them using any zip file tool (http://www.7-zip.org/ being my usual choice)

inside, you will find a manifest (xml file in a subdir called META-INF) which you can edit with notepad. this gives details of what is stored where inside the zipfile, and if it is encrypted, what the checksum of the password is.

here is a typical entry:

 <manifest:file-entry manifest:media-type="text/xml" manifest:full-path="content.xml" manifest:size="2939">
  <manifest:encryption-data manifest:checksum-type="SHA1/1K" manifest:checksum="vsANgJ9HW/9Z0tfHwvzX1HOROGs=">
   <manifest:algorithm manifest:algorithm-name="Blowfish CFB" manifest:initialisation-vector="yOxT+y66yJg="/>
   <manifest:key-derivation manifest:key-derivation-name="PBKDF2" manifest:iteration-count="1024" manifest:salt="qdlQxndpRh0cANpXCVhjXw=="/>

note this specifies that the encryption is blowfish (only supported algo), and the hash is SHA1 (only supported hash). Blowfish is uncrackable. no, really, there isn't a hope of breaking it unless you can guess the password.

the hash is the clue - it will let you test if you got a guess right or wrong, without having to try each password in turn in the package. This is how the crackers work - they try every possible password (either from a list you supply, or by starting at aaaaa and working their way towards z) and test the answer against the hash. if the hash says they got it right, they can then try decrypting the actual document.

however, this is called a brute force attack - trying many passwords until you find one that works - and it can take a fairly long time to do, even on a modern computer.
0
 

Author Comment

by:D_Mclean
ID: 24793828
Thats excellent info Dave exactly what I need, ive certainly got enough to be going on with that lot.

Thanks very much

Darren
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
Encryption for Business Encryption (https://en.wikipedia.org/wiki/Encryption) ensures the safety of our data when sending emails. In most cases, to read an encrypted email you must enter a secret key that will enable you to decrypt the email. T…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question