Author: Bruce Byfield
OOo Password Cracker, a macro for opening protected documents in any OpenOffice.org application. Using a brute force dictionary attack, OOo Password Cracker provides a slow but reliable method of document recovery. However, the macro requires some preparation if you want to use it effectively.
To start with, before you can use the spreadsheet that contains the OOo Password Cracker macro to open a password-protected file, you need to set up a directory that contains at least one dictionary. The dictionary is a plain text file, with one possible password per line. The macro does not recognize commented lines, but you can use them to annotate the dictionary anyway. Although OOo Password Cracker will read them as possible passwords, they will not significantly slow down the macro and may be convenient for you.
Once you have a dictionary set up, you can open the spreadsheet that contains the macro. Naturally enough, when opening the spreadsheet, you need to enable macros. If you are using the default OpenOffice.org security setting of Medium, you have the option of enabling macros as the spreadsheet opens. If security is set higher, you first have to go to Tools -> Options -> OpenOffice.org -> Macro Security and either relax security to Medium or else add the spreadsheet’s directory to the list of trusted sources.
The spreadsheet consists of three sheets: one contains the text of the GNU General Public License, one is the cracker itself, and one provides a basic set of instructions. To use the cracker, enter the full path to the file you want to open and the path to the dictionary directory. File path abbreviations are not accepted, and neither are regular expressions.
When you have entered the paths, select Tools -> Macros – > Run Macros. In the library pane of the Macro selector window, select OOoPasswordCracker1-0 – > Standard -> Module 1, then select main
from the Macro name pane and click the Run button. The Macro selector window stays open until the macro is finished running, which may take anywhere from a few seconds to hours, depending on the size and number of your dictionaries. The macro’s success, of course, depends on whether the dictionary files contain the file’s password, so you always have the possibility that the effort will fail.
At the end of the process, a dialog window tells you if the macro has succeeded or failed. If it succeeds, the dialog lists the password and the cracked file opens. You can also read the password, along with the dictionary where it was found, on the second sheet of the spreadsheet. (The sheet is also supposed to list the time taken to crack the password, but displays only hash marks instead. In most cases, though, that is probably a small matter, since if you are desperate enough to need a password cracker, chances are that you are more interested in results than side issues like the time taken to get them.)
Setting up dictionaries
So far, so simple. However, the usefulness of OOo PasswordCracker depends largely on how well you set up your dictionary files. The macro comes zipped with a sample dictionary file, but since it contains only variations on the word “password,” you will need other dictionaries for the macro to function.
If, like many people, you use a limited number of passwords, then you can quickly write a custom dictionary file with all your favorites and their variations. Then your main concern will be to safeguard the dictionary file, since it is an unencrypted text file and therefore easily readable by anyone. At the very least, you should change its permissions so that the file can only be read from your current account. Probably, though, you should consider encrypting the dictionary when you are not using it. Otherwise, the whole point of using a password on OpenOffice.org documents disappears, especially if they are stored in your own directory.
If you need to crack more difficult passwords, you can search the Web for dictionary files made expressly for that purpose. OOo Password Cracker itself on the Instructions Sheet mentions the OpenWall Project as a place to begin your search. Besides various links to utilities related to security and password protection and checking, OpenWall offers a comprehensive set of word lists in more than 20 languages that is available as a free download from one of the site’s FTP mirrors, and a commercial version that includes variations on words for a donation of $28.
Another useful set of wordlists is available from Outpost9. These lists include what is described as a “large word dictionary” with variations that include files with the words reversed, or with the first letters of each word in upper case, or the entire word. Other wordlists on the site include first names, surnames, actors’ names, and words from the Jargon File.
Other sources for wordlists include dictionaries for spellcheckers such as Ispell or lists for games like Boggle or Scrabble. Many of these lists are formatted one entry per line, and are ready for use by OOo Password Cracker as soon as you add them to the dictionary directory. Others may require reformatting through a script or macro. Each one you add will enhance the macro’s possibility of success, at the cost of potentially large increases in the time it takes to find a match. These dictionaries may also be added for use by OpenOffice.org via Tools -> Options -> Language settings -> Writing aids, or possibly by other programs.
The limits of password protection
OOo Password Cracker is not the only way to open password-protected files. Recently, Intelore announced OpenOffice Password Recovery, a $79 proprietary Windows tool that also promises to remove password and read-only protection for sections, cells, and other parts of OpenOffice.org documents. Since OpenOffice.org documents are really collections of XML files in a zipped archive, you can also use tools such as John the Ripper that can crack zip files. However, OOo Password Cracker has the advantage of simplicity and, for OpenOffice.org users, of a familiar interface as well. For many, these features will make the time it takes to set up the dictionaries a fair exchange.
These programs serve the useful purpose of reminding users just how vulnerable OpenOffice.org passwords actually are. Many users, hearing that OpenOffice.org’s encryption is superior to Microsoft Office’s, assume that password-protecting their documents is enough. However, you do not have to venture far into the world of password crackers to realize that, as used by most people, OpenOffice.org’s passwords are protection only against unsophisticated users. If you are really concerned about safeguarding your documents, learn how to choose a relatively secure password. Better yet, learn how to digitally sign your documents and don’t rely on passwords alone. As OOo Password Cracker shows, typical passwords aren’t nearly enough.
Bruce Byfield is a computer journalist who writes regularly for NewsForge, Linux.com, and IT Manager’s Journal.
Category:
- Security