Nathan, I had never considered Keepass though have seen it discussed etc for years. I have often used TrueCrypt USB 'disks' (sticks) when travelling, I guess what you're doing with a TrueCrypt file on Dropbox is much the same. I would like to see this a bit more automatic as a backup for password database, though.
Is anyone using 7Pass? (The WP7 version of Keepass, for which it seems v3.6 is OK for WP7.8 and WP8 - ?) _____ Ian Thomas Victoria Park, Western Australia From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On Behalf Of Nathan Chere Sent: Monday, March 24, 2014 9:29 AM To: ozDotNet Subject: RE: [OT] Password hash cracking I used to use Password Safe and there's a pretty good .Net implementation of the password store reader on CodeProject <http://www.codeproject.com/Articles/20892/Password-Safe-Database-Reader-Lib rary-in-C-for-NET> if you want to extend its usefulness yourself. That said, I now use Keepass and have no regrets: http://keepass.info/ It's also open source but has a much more active dev community around it than SPS, the downloads page has ports to virtually any platform you could possibly want, and there's a well-designed plugin system which lets you do things like near transparently replace the Firefox or Chrome saved password functionality with Keepass. I run a portable instance in a TrueCrypt disk saved on Dropbox so I have online sync without the usual concerns. From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On Behalf Of ILT (O) Sent: Monday, 24 March 2014 12:23 PM To: 'ozDotNet' Subject: RE: [OT] Password hash cracking Grant, re Password Safe (etc) - I was using RoboForm on $9.95 a year and they have just released a version for Windows Phone 8, but I have let it lapse. I would rather back up my pw database to OneDrive than have RoboForm manage it at their site, for some reason. Have you see any comparison of Password Safe with RoboForm? It seems the Password Safe Sourceforge dev project isn't interested in a WP8 version. I would like to use the same application across the different platforms. _____ Ian Thomas Victoria Park, Western Australia From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On Behalf Of Grant Maw Sent: Monday, March 24, 2014 8:08 AM To: ozDotNet Subject: Re: [OT] Password hash cracking Or, just use Schneier's Password Safe program and let it generate all your passwords for you. I've been using it for years and I swear by it. I have hundreds of passwords stored in it's files and they're all long and very complex. http://passwordsafe.sourceforge.net/ On 22 March 2014 16:08, Greg Keogh <g...@mira.net> wrote: Folks, in Bruce Schneier's latest newsletter <https://www.schneier.com/crypto-gram-1403.html> there is a section at the end where he discusses the vulnerability of passwords. One of the links is to this interesting and frightening article: http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of -your-passwords/ The hashes in this cracking test were made with plain old MD5, but even ignoring that, it's a sobering reminder of the progress in guessing and cracking hashed passwords. I was surprised to learn that salting the hashes doesn't offer much defence. I was amazed that they were using GPUs for hashing and a graph shows that they're faster than CPUs ... is that possible? After this I think the lessons are: * Schneier suggests you make passwords out of pieces of words and sentences to avoid predictable formats. * Use a more recent and computationally intensive hasher. * Don't let anyone steal your hashes. * Don't store the whole hash (I learned in Russinovich's book that msv1_0 <http://dll.paretologic.com/detail.php/msv1_0> .dll only stores half a user's hash in the registry). Greg K Click here <https://www.mailcontrol.com/sr/MZbqvYs5QwJvpeaetUwhCQ==> to report this email as spam. This message has been scanned for malware by Websense. <http://www.websense.com/> www.websense.com
