Grant, re Password Safe (etc) - I was using RoboForm on $9.95 a year and they have just released a version for Windows Phone 8, but I have let it lapse. I would rather back up my pw database to OneDrive than have RoboForm manage it at their site, for some reason.
Have you see any comparison of Password Safe with RoboForm? It seems the Password Safe Sourceforge dev project isn't interested in a WP8 version. I would like to use the same application across the different platforms. _____ Ian Thomas Victoria Park, Western Australia From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On Behalf Of Grant Maw Sent: Monday, March 24, 2014 8:08 AM To: ozDotNet Subject: Re: [OT] Password hash cracking Or, just use Schneier's Password Safe program and let it generate all your passwords for you. I've been using it for years and I swear by it. I have hundreds of passwords stored in it's files and they're all long and very complex. http://passwordsafe.sourceforge.net/ On 22 March 2014 16:08, Greg Keogh <g...@mira.net> wrote: Folks, in Bruce Schneier's latest newsletter <https://www.schneier.com/crypto-gram-1403.html> there is a section at the end where he discusses the vulnerability of passwords. One of the links is to this interesting and frightening article: http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of -your-passwords/ The hashes in this cracking test were made with plain old MD5, but even ignoring that, it's a sobering reminder of the progress in guessing and cracking hashed passwords. I was surprised to learn that salting the hashes doesn't offer much defence. I was amazed that they were using GPUs for hashing and a graph shows that they're faster than CPUs ... is that possible? After this I think the lessons are: * Schneier suggests you make passwords out of pieces of words and sentences to avoid predictable formats. * Use a more recent and computationally intensive hasher. * Don't let anyone steal your hashes. * Don't store the whole hash (I learned in Russinovich's book that msv1_0 <http://dll.paretologic.com/detail.php/msv1_0> .dll only stores half a user's hash in the registry). Greg K