Bug 43452 - Long Password fails for file saving LibreOffice CALC file
Summary: Long Password fails for file saving LibreOffice CALC file
Status: RESOLVED WORKSFORME
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Calc (show other bugs)
Version:
(earliest affected)
3.4.2 release
Hardware: x86 (IA32) All
: medium major
Assignee: Not Assigned
URL:
Whiteboard:
Keywords:
: 43451 (view as bug list)
Depends on:
Blocks:
 
Reported: 2011-12-01 21:01 UTC by C. Andrews Lavarre
Modified: 2016-04-17 10:29 UTC (History)
3 users (show)

See Also:
Crash report or crash signature:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description C. Andrews Lavarre 2011-12-01 21:01:12 UTC
LibreOffice 3.4.2 
OOO340m1 (Build:1206)
OpenSuSE 11.4 KDE 4.6

Sorry, something sent this incomplete before...

I try to save a CALC file as something with the SAVE WITH PASSWORD option clicked. I used a strong password:

Abbcd@Efghi!Klmn

(16 characters, alphanumeric and symbol mixed)

I enter it twice and it saves successfully, but then on reopening the file it claims I do not have the correct password.

However, if I use a shorter password:

Abcdefg@Hijlm

(13 characters) 

It works.

So there seems to be some limit on the length of the allowable password...

Please keep me informed on any progress,

alavarre@gmail.com

Cheers, Andy Lavarre
Comment 1 C. Andrews Lavarre 2011-12-01 21:30:05 UTC
OK, I have experimented further.

If I use a 15-character password to save the file it works.

If I use a 16-character password to save the file it also works, insofar as it allows saving.

But when I try to open the 16-character password file with the 16-character password it fails.

HOWEVER, if I only insert the first 15 characters of the password then the file opens correctly.

So there is a bug in the password parsing: If you offer more than 15 characters it apparently wraps around, corrupting the offered password, rather than just dropping all characters after the fifteenth.

Interesting stuff, thanks.

Keep me informed.

The workaround for now is to limit passwords to 15 characters.

Cheers, Andy Lavarre
alavarre@gmail.com
Comment 2 tester8 2012-01-12 06:15:41 UTC
NOT reproduced with

LOdev 3.5.0beta2 
4ca392c-760cc4d-f39cf3d-1b2857e-60db978
Ubuntu 10.04.3 x86
Linux 2.6.32-37-generic Russian UI

Can you try with 3.5.0beta2?
Comment 3 Jean-Baptiste Faure 2012-01-28 23:59:18 UTC
@reporter: if I compare with bug 43451, it is not clear in which format you saved your file. ODS or XLS ?
I do not reproduce with ODS in LO 3.5.0 rc2+ under Ubuntu 11.10.

Best regards. JBF
Comment 4 C. Andrews Lavarre 2012-01-29 09:16:25 UTC
Jean-Baptiste good afternoon. 

I have just checked and confirmed this on LibreOffice 3.4.4 
OOO340m1 (Build:1403) under openSUSE 12.1.

It occurs when saving a file as XLS. You can save the file with a password of sixteen or more characters without incident, however when you try then to open it with the same >= 16 character password it complains that the password is incorrect.

However, if you only enter the first fifteen characters then it opens correctly.
=====
You are correct that this does not occur if the file has been saved as an ODS. But it does occur if you save as an XLS.

Kind regards, Andy
Comment 5 Jean-Baptiste Faure 2012-01-29 09:33:38 UTC
*** Bug 43451 has been marked as a duplicate of this bug. ***
Comment 6 Jean-Baptiste Faure 2012-01-29 09:42:35 UTC
Ok, reproduced with LO 3.5.0 rc2+ too (LibreOffice 3.5.0rc2+ Version ID : 20ec7c1-ed94322-5cd2479-2386a41-138191a)

Best regards. JBF
Comment 7 A (Andy) 2014-09-20 19:19:49 UTC
Still reproducible with LO 4.3.1.2 (Win 8.1)

If you try to type a password longer than 15 characters it doesn't work.  This is user-unfriendly because the user gets no information in the password dialog box that a password longer than 15 characters is not possible.  It is not mentioned in the note below.
Only if you insert a password longer than 15 characters with copy&paste you get an information: 'The inserted text exceeded the maximum length of this text field. The text was truncated.'

I don't think that a maximum password length of 15 characters is useful and at least the user needs to be informed.  
All in all, there should be no length limitation or at least a much longer one.
Comment 8 DN 2015-02-11 11:42:19 UTC
* LO limits password *entry* to 15 characters when *saving* as (at least) DOCX or XLSX. There is no visual indicator that further characters are being ignored, other than that no more asterisks appear.
* LO does *not* limit password entry length when *decrypting* DOCX/XLSX files.
* Office 2013 (at least) doesn't limit passwords to 15 characters. Saving with a 20-character password in Office 2013, it is successfully decrypted with the same 20 characters using LO. Decryption fails when only entering the first 15 characters, so LO does seem to use the full length for decryption.
* It seems there was a limit in *earlier* versions of Office to passwords of 15 characters or fewer, for example: http://support.microsoft.com/kb/KbView/291457

At least two things are needed here:

* If LO is limiting password entry on OOXML to 15 characters, it needs to actively alert the user. Otherwise the user may enter a long password, not notice that it has been truncated, and be unable to open it with the password they *typed*. This is exactly what happened to me, and I was only able to regain access by experimenting to find the cause.
* Compatibility of >15-character-passworded OOXML documents with earlier OOXML-capable versions of Office (2007, 2010). If 2007 and 2010 are long-password-capable, the artificial limit on OOXML password creation length needs to be removed from LO (assuming it is just a deliberate truncation on entry).
Comment 9 A (Andy) 2015-03-07 15:50:35 UTC
> At least two things are needed here:
> 
> * If LO is limiting password entry on OOXML to 15 characters, it needs to
> actively alert the user. Otherwise the user may enter a long password, not
> notice that it has been truncated, and be unable to open it with the
> password they *typed*. This is exactly what happened to me, and I was only
> able to regain access by experimenting to find the cause.

This is no longer reproducible with LO 4.4.1.2, Win 8.1. (see also bug 65492)


> * Compatibility of >15-character-passworded OOXML documents with earlier
> OOXML-capable versions of Office (2007, 2010). If 2007 and 2010 are
> long-password-capable, the artificial limit on OOXML password creation
> length needs to be removed from LO (assuming it is just a deliberate
> truncation on entry).

This would be a good enhancement.
Comment 10 tommy27 2016-04-16 07:26:35 UTC
** Please read this message in its entirety before responding **

To make sure we're focusing on the bugs that affect our users today, LibreOffice QA is asking bug reporters and confirmers to retest open, confirmed bugs which have not been touched for over a year.

There have been thousands of bug fixes and commits since anyone checked on this bug report. During that time, it's possible that the bug has been fixed, or the details of the problem have changed. We'd really appreciate your help in getting confirmation that the bug is still present.

If you have time, please do the following:

Test to see if the bug is still present on a currently supported version of LibreOffice (5.0.5 or 5.1.2 https://www.libreoffice.org/download/

If the bug is present, please leave a comment that includes the version of LibreOffice and your operating system, and any changes you see in the bug behavior
 
If the bug is NOT present, please set the bug's Status field to RESOLVED-WORKSFORME and leave a short comment that includes your version of LibreOffice and Operating System

Please DO NOT

- Update the version field
- Reply via email (please reply directly on the bug tracker)
- Set the bug's Status field to RESOLVED - FIXED (this status has a particular meaning that is not appropriate in this case)


If you want to do more to help you can test to see if your issue is a REGRESSION. To do so: 

1. Download and install oldest version of LibreOffice (usually 3.3 unless your bug pertains to a feature added after 3.3)

http://downloadarchive.documentfoundation.org/libreoffice/old/

2. Test your bug 

3. Leave a comment with your results. 

4a. If the bug was present with 3.3 - set version to "inherited from OOo"; 
4b. If the bug was not present in 3.3 - add "regression" to keyword


Feel free to come ask questions or to say hello in our QA chat: http://webchat.freenode.net/?channels=libreoffice-qa

Thank you for your help!

-- The LibreOffice QA Team This NEW Message was generated on: 2016-04-16
Comment 11 Jean-Baptiste Faure 2016-04-17 10:29:48 UTC
Now (LO 5.1.3.0.0+) there is a warning message when you try to paste a string password longer than 15 characters. If you type the password the exceeding characters are not accepted (the *** string does not grow anymore).

Closing as WorksForMe as I do not know which commit added the warning message.

Best regards. JBF