Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Passwords are not for Security - Official 1

Status
Not open for further replies.
ChrisHunt

ChrisHunt

Programmer
Jul 12, 2002
4,056
GB
According to Gatesy's people "Word's password protection is useful for collaborating with colleagues, it is not a security feature and should not be relied upon as such." (my emphasis)

Full story at .

I've only got Word 97, but thought I'd investigate...
[ul][li]Open the help file and go to the Index[/li]

[li]Type in "passwords"[/li]

[li]One of the topics offered is called "purpose", click on it[/li]

[li]The following text appears:

Security features in Word

Word provides several security and protection features. You can do any of the following:
[ul]
[li] Protect" a document to restrict the types of changes users can make to it. (For example, protect an online form so users can fill in only the designated areas.) For extra security, you can assign a password to prevent unauthorized users from "unprotecting" the document. For more information, click >>[/li]

[li]Assign a password to limit access to a document. (For example, require a password so only authorized users can open or modify and save the document.) You can also recommend that others open the document as read-only. For more information, click >>[/li]

[li]Check for macros that might contain viruses whenever you open a document. For more information, click >>[/li]
[/ul]
Note For more information about other Word features that may affect document security, click >>[/li]
[/ul]However could we think it was a security feature? :)

-- Chris Hunt
 
Come on,

Do you really have nothing better to do than pick quotes from MS regarding security in Word docs. There are various levels of security, and MS Word offers a very limited one to prevent your collegue from editing text in it whilst proof reading it, or to stop fellow students at school from copying work if you are using a shared username or network drive.

If you want to start quoting bits from the article then what about this one:

"If you are looking for secure encryption you should not be using this feature. We have lots of customers out there using password protection, but the reason they are doing that is to stop general users changing the text or whatever--and it works perfectly well for that"

'General Users'. General Users don't know how to by pass the password, but I do, just like I don't know how to by-pass security on PGP, yet I'm sure someone out there can.

The Finance manager isn't happy with me having access to all files on the network, so he has password protected his files. This kept him happy. I know that I can get past it if I want to, but the feature works well enough for him.
(Tragically 3 weeks later he forgot the password and I had to run a cracker on it...!)

Get it into context and stop slagging MS off at every avaliable opportunity.
 
What evidence do you have that I "slag MS off at every avaliable opportunity"? They make some great products, but (like all of us) they're not perfect. I choose this particular opportunity to tease them a little because the story tickles me.

What I really like is the 1984-like way that they say "passwords are not a security feature" as if that's what they've been saying all along. Look in the documentation that they produced for the product in question and you get passwords -> purpose -> security feature. Nothing in there about using a proper encryption program if you want true security.

How many microserfs does it take to change a lightbulb? They don't, they redefine darkness as the standard!

-- Chris Hunt
 
[joke]Thats twice now!!![/joke] ;-)

With a company that has been operating more years that I have lived on this planet, I can see that what they say now probably won't apply to the older software. (And 7 years is a long time in IT as I am sure you are aware!)

I looked at Office Word 2003 just now and it doesn't mention anything about a password being secure.

Like I said, its context - if your coca-cola trying to protect your trade secrets your not going to use Word, but if your Ms. Canham in Wells-Next-The-Sea (UK) saving word copies of your bank statment then fine!!!

Personally I think the real reason MS are playing this down is because they are trying to push IRM with Win2003 Server & Office 2003.

And lets be honest, if your too stupid to realise that Word won't give you PGP / Adobe level encryption then you probably don't need it for what your doing anyway!

Steve.
 
Do you really have nothing better to do than pick quotes from MS regarding security in Word docs.

Thank you Steve for saying what needed to be said.
 
I wasn't going to comment on this thread but since it was reopened 1 week later for nothing else than a useless comment and a dig at Chris, I decided to add my say.

A search in the Word 2000 help files (Newer than 97, but I realise still a few years ago) for "security" returns "Keep your word documents secure" and "Protect a document from unauthorized changes" which both then lead you to instructions about applying a password.

A direct quote from the help files:

When you create a password, write it down and keep it in a secure place. If you lose the password, you cannot open or gain access to the password-protected document.

As there is no mention that this method is even slighly insecure, and the help files seem to convey the idea that they are secure, how do you expect a user to know not to use it in certain circumstances?

Surely the help files for the product should tell you that they are not secure?

Oh wait, I'm having a go at MS now. What you have to realise was that if I made this product and added a security feature with no mention of it's weaknesses, I would expect the same response when I later deny that it was added for security and the users were actually using it for an incorrect purpose.

How about you guys stop sticking up for MS and realise that they are to blame for their own mistakes? If they want to play it down, let them, don't everyone else start backing them up when they are in the wrong.

Hope this helps

Wullie


The pessimist complains about the wind. The optimist expects it to change. The leader adjusts the sails. - John Maxwell
 
Fair Points.

Apart from two new versions since then.

The 2003 version doesn't mention this. I'm sure I could find equal examples in other non-MS products that say they security on a document, and then 3 years later once discovered a major flaw they say its not secure - but you can use a Rights management software to secure it. I'm not sticking up for MS - I think its slightly more than logical to say that 3 year old software isn't secure - one of the many reaons for updates.

Seems strange that MS also launched their IRM software licencing at around the same time though...!

 
Steve,

The point I was trying to make was that MS have not said that due to the security flaw they have now realised that it is not as secure as they thought, they have said people who have been using it for the original intended purpose were using it incorrectly.

Hope this helps

Wullie


The pessimist complains about the wind. The optimist expects it to change. The leader adjusts the sails. - John Maxwell
 
I understand that, its a fair point - the problem is that back when 97/2000 were in use, it can be used as a security feature, as you had to get special software to crack it - the same as my Win2000 AD Network. AD is amungst other things, security. But if I use CaIN on the network it will crack most users password.

Microsoft have said that now, after they have been informed of a way to see the password without additional software, it can no longer be seen as a security feature, but is stil useable for general, low-level, protection.

I can't see anyone of us in this thread changing our opinions, but I suppose its how you interpret it!

Thanks,

Steve.
 
I think the part of the discussion that's being completely overlooked is how secure the process ever was.

If Steve is correct, and in 1997 Microsoft put out what it thought was a working security feature, then I more or less agree. However, if they put on a cruddy little patch which was easily circumventable and called in security, then there's a problem.

Then, there's the other thing, forget the help documents, if I'm putting a password on something, I'm securing it... if in fact, this password is not securing said item, I should be alerted right then and there, I should not have to go to help documents to find out my vendor uses a crappy protection scheme.

-Rob
 
Status
Not open for further replies.

Similar threads

Pro50
  • Locked
  • Question
IT Management for financial services companies 6
Replies
6
Views
232
SamBones
SamBones
PeterMAS
  • Locked
  • Question
Would U.S. tech. staff accept low salaries for an adventure in an exotic locale?
Replies
2
Views
230
PeterMAS
PeterMAS
austkain
  • Locked
  • Question
Options for moving forward from my current helpdesk job 1
Replies
8
Views
86
tcsbiz
tcsbiz
Albion
  • Locked
  • Question
Software update or not?
Replies
3
Views
97
kmcferrin
kmcferrin
Mountainbear
  • Locked
  • Question
What are the best ways to get job leads?
Replies
4
Views
91
mmorancbt
mmorancbt

Part and Inventory Search

Sponsor

Back
Top