Greg, did you follow up on the (promised) article in arstechnica on how to do it properly? I couldn't find one .
The closest relevant advice (for users) was to use a password minder, but I guess that doesn't help if the visited passworded websites store unsafely. (I see that iiNet pops up a warning when customers have unsafe passwords, and offer to generate a better on using their online tool. I would assume quite a few subscribers to this list work for enterprises that use the better methodologies) _____ Ian Thomas Victoria Park, Western Australia From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On Behalf Of Greg Keogh Sent: Saturday, March 22, 2014 2:09 PM To: ozDotNet Subject: [OT] Password hash cracking Folks, in Bruce Schneier's latest newsletter <https://www.schneier.com/crypto-gram-1403.html> there is a section at the end where he discusses the vulnerability of passwords. One of the links is to this interesting and frightening article: http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of -your-passwords/ The hashes in this cracking test were made with plain old MD5, but even ignoring that, it's a sobering reminder of the progress in guessing and cracking hashed passwords. I was surprised to learn that salting the hashes doesn't offer much defence. I was amazed that they were using GPUs for hashing and a graph shows that they're faster than CPUs ... is that possible? After this I think the lessons are: * Schneier suggests you make passwords out of pieces of words and sentences to avoid predictable formats. * Use a more recent and computationally intensive hasher. * Don't let anyone steal your hashes. * Don't store the whole hash (I learned in Russinovich's book that msv1_0 <http://dll.paretologic.com/detail.php/msv1_0> .dll only stores half a user's hash in the registry). Greg K