RE: [OT] Noise cancelling earphones for a quiet programming environment?
Ah, you are at the point little noises frustrate you - remember to keep calm and walk away if it all gets too much. Yes I work in a open plan office too, I have support people and sales that like to yell into the phone so they can be heard J Look I have friends and myself have been down this path your are not alone. Expect to pay a few hundred dollars for peace of mind and personally it's worth it in the long run. To cut it short I ended up with 'fischer audio FA-003' can's style head phones cost me around $200 - I can crank my music up so loud and no one next to me can hear it nor can I hear them. Personally this is the way I like to operate but I can still have at a reasonable sound volume and it will drown out people completely. It's quite interesting when I take of my headphones and find people half way through a conversation with me - nicely explain I can't hear them. That is the strange thing about our office people don't understand that we programmers don't want to listen to everything around them we want to focus and concentrate on what we have to do. I have friends that have tried the Bose wireless models and thought they were ok but not perfect. There is a more expensive model above the Bose which is around $500 but the consensus is they weren't perfect either. At the end of day most of my friends are were some kind of can style headphones. The problem with a lot of these headphones is comfort. As in the earbud style nice and compact but can annoy your ears after a while, also you can find the music can bleed out and then you can become part of the problem. I found a headphone shop in Lonsdale st in melb (just up from Elizabeth st) that was very helpful and at the end of day I wasn't shopping for price I just wanted a solution. Good luck Dave. From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On Behalf Of Kirsten Greed Sent: Sunday, 23 March 2014 1:21 PM To: 'ozDotNet' Subject: [OT] Noise cancelling earphones for a quiet programming environment? Hi All So that I can concentrate better, I am trying to filter out the mouse clicking sound from person at the desk next to me. Has anyone any tech recommendations on how to do this? Thanks Kirsten
RE: [OT] Noise cancelling earphones for a quiet programming environment?
When 'cancelling' noise fails, drown it out :) Whatever you're listening to, play it louder. If you find music too distracting there's plenty of alternatives. 'Noise' generators can feel a bit weird at first but they do a great job of blocking out ambient noise. Even better if listened to through active noise-cancelling earphones. http://playnoise.com/ is my preferred http://www.noisli.com/ if you prefer more 'natural' sounds, eg coffee shop ambience, crackling fire etc. No specific preference for noise-cancelling products except avoid Sony's earphones like the plague. PS: I normally prefer headphones but if you want them for noise cancelling value I'd recommend in-ear buds every time. From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On Behalf Of Kirsten Greed Sent: Sunday, 23 March 2014 1:21 PM To: 'ozDotNet' Subject: [OT] Noise cancelling earphones for a quiet programming environment? Hi All So that I can concentrate better, I am trying to filter out the mouse clicking sound from person at the desk next to me. Has anyone any tech recommendations on how to do this? Thanks Kirsten Click herehttps://www.mailcontrol.com/sr/MZbqvYs5QwJvpeaetUwhCQ== to report this email as spam. This message has been scanned for malware by Websense. www.websense.com
Re: Microsoft Web farm Framework Training in Canberra
Greetings, I have found this course:- http://pluralsight.com/training/Courses/Description/web-farms Anyone done this one? What's the general feeling on the Pluralsight training model in this community? -- Regards, noonie On 18 March 2014 09:15, noonie neale.n...@gmail.com wrote: Greetings, I'm looking for a course, preferably at our site, for training in Microsoft's Web Farm Framework. Particularly set-up, administration and writing applications that play nicely in that environment. I estimate that there would be six participants with a mix of web admins and .net developers. Any recommendations? -- Regards, noonie
Re: Microsoft Web farm Framework Training in Canberra
I like them. Doing an angular one right now. They seem fairly comprehensive though I do wish for more 'real world' application design stuff. On 24 March 2014 12:11, noonie neale.n...@gmail.com wrote: Greetings, I have found this course:- http://pluralsight.com/training/Courses/Description/web-farms Anyone done this one? What's the general feeling on the Pluralsight training model in this community? -- Regards, noonie On 18 March 2014 09:15, noonie neale.n...@gmail.com wrote: Greetings, I'm looking for a course, preferably at our site, for training in Microsoft's Web Farm Framework. Particularly set-up, administration and writing applications that play nicely in that environment. I estimate that there would be six participants with a mix of web admins and .net developers. Any recommendations? -- Regards, noonie
RE: Microsoft Web farm Framework Training in Canberra
Hi noonie, Great for some things. I particularly liked K Scott Allen's ones in and around MVC, HTML5, CSS3, etc. Regards, Greg Dr Greg Low 1300SQLSQL (1300 775 775) office | +61 419201410 mobile│ +61 3 8676 4913 fax SQL Down Under | Web: http://www.sqldownunder.com/ www.sqldownunder.com From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On Behalf Of noonie Sent: Monday, 24 March 2014 10:12 AM To: ozDotNet Subject: Re: Microsoft Web farm Framework Training in Canberra Greetings, I have found this course:- http://pluralsight.com/training/Courses/Description/web-farms Anyone done this one? What's the general feeling on the Pluralsight training model in this community? -- Regards, noonie On 18 March 2014 09:15, noonie neale.n...@gmail.com mailto:neale.n...@gmail.com wrote: Greetings, I'm looking for a course, preferably at our site, for training in Microsoft's Web Farm Framework. Particularly set-up, administration and writing applications that play nicely in that environment. I estimate that there would be six participants with a mix of web admins and .net developers. Any recommendations? -- Regards, noonie
Re: Microsoft Web farm Framework Training in Canberra
And with free trial https://pluralsight.com/training/subscribe/Step1?isTrial=True for 200 minutes it's kinda worth it. On 24 March 2014 12:20, GregAtGregLowDotCom g...@greglow.com wrote: Hi noonie, Great for some things. I particularly liked K Scott Allen’s ones in and around MVC, HTML5, CSS3, etc. Regards, Greg Dr Greg Low 1300SQLSQL (1300 775 775) office | +61 419201410 mobile│ +61 3 8676 4913fax SQL Down Under | Web: www.sqldownunder.com *From:* ozdotnet-boun...@ozdotnet.com [mailto: ozdotnet-boun...@ozdotnet.com] *On Behalf Of *noonie *Sent:* Monday, 24 March 2014 10:12 AM *To:* ozDotNet *Subject:* Re: Microsoft Web farm Framework Training in Canberra Greetings, I have found this course:- http://pluralsight.com/training/Courses/Description/web-farms Anyone done this one? What's the general feeling on the Pluralsight training model in this community? -- Regards, noonie On 18 March 2014 09:15, noonie neale.n...@gmail.com wrote: Greetings, I'm looking for a course, preferably at our site, for training in Microsoft's Web Farm Framework. Particularly set-up, administration and writing applications that play nicely in that environment. I estimate that there would be six participants with a mix of web admins and .net developers. Any recommendations? -- Regards, noonie
RE: [OT] Noise cancelling earphones for a quiet programming environment?
+1 for the Bose gear. I wear them all the time on long flights and love them but have also used them in other environments and they are great. The noise reduction quality is amazing. +1 also to the idea of drowning out part of the other noise. While they work well without anything even plugged in, clearly you'll lose the other distractions better if you have sounds of your own. For the same reason, I often will have the TV, or music, etc. on when I'm home alone working just to provide background noise. Otherwise, every little sound seems to be distracting. Regards, Greg Dr Greg Low 1300SQLSQL (1300 775 775) office | +61 419201410 mobile│ +61 3 8676 4913 fax SQL Down Under | Web: http://www.sqldownunder.com/ www.sqldownunder.com From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On Behalf Of Jorke Odolphi Sent: Monday, 24 March 2014 9:28 AM To: ozDotNet Subject: Re: [OT] Noise cancelling earphones for a quiet programming environment? http://worldwide.bose.com/axa/en_au/web/quietcomfort_20i/page.html I have a set of these - there is an 'active' mode that basically reduces people talking to sounding like a faint version of the peanuts teacher (I hope that's not too old a reference for people:) I can vouch it works amazingly well in an open office, when I have them on ppl have to wave at me to get attention - I have a mechanical keyboard and I can't hear that either - YMMV of course - if you go to the bose store they're pretty good at helping you test for your situation, especially at that price tag. I had the guy do loud sniffles for me so I could see if it worked for that: From: Kirsten Greed kirst...@jobtalk.com.au mailto:kirst...@jobtalk.com.au Reply-To: ozDotNet ozdotnet@ozdotnet.com mailto:ozdotnet@ozdotnet.com Date: Sunday, 23 March 2014 1:20 pm To: ozDotNet ozdotnet@ozdotnet.com mailto:ozdotnet@ozdotnet.com Subject: [OT] Noise cancelling earphones for a quiet programming environment? Hi All So that I can concentrate better, I am trying to filter out the mouse clicking sound from person at the desk next to me. Has anyone any tech recommendations on how to do this? Thanks Kirsten
Re: [OT] Password hash cracking
Or, just use Schneier's Password Safe program and let it generate all your passwords for you. I've been using it for years and I swear by it. I have hundreds of passwords stored in it's files and they're all long and very complex. http://passwordsafe.sourceforge.net/ On 22 March 2014 16:08, Greg Keogh g...@mira.net wrote: Folks, in Bruce Schneier's latest newsletterhttps://www.schneier.com/crypto-gram-1403.htmlthere is a section at the end where he discusses the vulnerability of passwords. One of the links is to this interesting and frightening article: http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/ The hashes in this cracking test were made with plain old MD5, but even ignoring that, it's a sobering reminder of the progress in guessing and cracking hashed passwords. I was surprised to learn that salting the hashes doesn't offer much defence. I was amazed that they were using GPUs for hashing and a graph shows that they're faster than CPUs ... is that possible? After this I think the lessons are: * Schneier suggests you make passwords out of pieces of words and sentences to avoid predictable formats. * Use a more recent and computationally intensive hasher. * Don't let anyone steal your hashes. * Don't store the whole hash (I learned in Russinovich's book that msv1_0http://dll.paretologic.com/detail.php/msv1_0.dll only stores half a user's hash in the registry). *Greg K*
RE: [OT] Password hash cracking
I think there's two separate issues here: a) How, as a user, do you generate good passwords? What's considered good is continually changing - Microsoft (and others) were touting pass phrases not that long ago, and even then it was pretty obvious that attacks would migrate using whole words and mangled words as part of an attack. Even with a tool to generate passwords, do you go back to old site to update your password each time a class of passwords becomes easy game? b) How, as an authentication system, do you safely store the credentials of your user base? What rules do you enforce on the passwords that can be supplied/generated, and once generated, how best to secure these at rest and in transit? I think this is the main question that Greg is asking Greg - sites like Slashdot, routinely cover advances in crypto and attack vectors in a format that non-experts can easily digest. E.g. GPU based attacking has been the norm for some time now. Cheers Ken From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On Behalf Of Grant Maw Sent: Monday, 24 March 2014 11:08 AM To: ozDotNet Subject: Re: [OT] Password hash cracking Or, just use Schneier's Password Safe program and let it generate all your passwords for you. I've been using it for years and I swear by it. I have hundreds of passwords stored in it's files and they're all long and very complex. http://passwordsafe.sourceforge.net/ On 22 March 2014 16:08, Greg Keogh g...@mira.netmailto:g...@mira.net wrote: Folks, in Bruce Schneier's latest newsletterhttps://www.schneier.com/crypto-gram-1403.html there is a section at the end where he discusses the vulnerability of passwords. One of the links is to this interesting and frightening article: http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/ The hashes in this cracking test were made with plain old MD5, but even ignoring that, it's a sobering reminder of the progress in guessing and cracking hashed passwords. I was surprised to learn that salting the hashes doesn't offer much defence. I was amazed that they were using GPUs for hashing and a graph shows that they're faster than CPUs ... is that possible? After this I think the lessons are: * Schneier suggests you make passwords out of pieces of words and sentences to avoid predictable formats. * Use a more recent and computationally intensive hasher. * Don't let anyone steal your hashes. * Don't store the whole hash (I learned in Russinovich's book that msv1_0http://dll.paretologic.com/detail.php/msv1_0.dll only stores half a user's hash in the registry). Greg K
RE: [OT] Password hash cracking
Grant, re Password Safe (etc) - I was using RoboForm on $9.95 a year and they have just released a version for Windows Phone 8, but I have let it lapse. I would rather back up my pw database to OneDrive than have RoboForm manage it at their site, for some reason. Have you see any comparison of Password Safe with RoboForm? It seems the Password Safe Sourceforge dev project isn't interested in a WP8 version. I would like to use the same application across the different platforms. _ Ian Thomas Victoria Park, Western Australia From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On Behalf Of Grant Maw Sent: Monday, March 24, 2014 8:08 AM To: ozDotNet Subject: Re: [OT] Password hash cracking Or, just use Schneier's Password Safe program and let it generate all your passwords for you. I've been using it for years and I swear by it. I have hundreds of passwords stored in it's files and they're all long and very complex. http://passwordsafe.sourceforge.net/ On 22 March 2014 16:08, Greg Keogh g...@mira.net wrote: Folks, in Bruce Schneier's latest newsletter https://www.schneier.com/crypto-gram-1403.html there is a section at the end where he discusses the vulnerability of passwords. One of the links is to this interesting and frightening article: http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of -your-passwords/ The hashes in this cracking test were made with plain old MD5, but even ignoring that, it's a sobering reminder of the progress in guessing and cracking hashed passwords. I was surprised to learn that salting the hashes doesn't offer much defence. I was amazed that they were using GPUs for hashing and a graph shows that they're faster than CPUs ... is that possible? After this I think the lessons are: * Schneier suggests you make passwords out of pieces of words and sentences to avoid predictable formats. * Use a more recent and computationally intensive hasher. * Don't let anyone steal your hashes. * Don't store the whole hash (I learned in Russinovich's book that msv1_0 http://dll.paretologic.com/detail.php/msv1_0 .dll only stores half a user's hash in the registry). Greg K
RE: [OT] Password hash cracking
Greg, did you follow up on the (promised) article in arstechnica on how to do it properly? I couldn't find one . The closest relevant advice (for users) was to use a password minder, but I guess that doesn't help if the visited passworded websites store unsafely. (I see that iiNet pops up a warning when customers have unsafe passwords, and offer to generate a better on using their online tool. I would assume quite a few subscribers to this list work for enterprises that use the better methodologies) _ Ian Thomas Victoria Park, Western Australia From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On Behalf Of Greg Keogh Sent: Saturday, March 22, 2014 2:09 PM To: ozDotNet Subject: [OT] Password hash cracking Folks, in Bruce Schneier's latest newsletter https://www.schneier.com/crypto-gram-1403.html there is a section at the end where he discusses the vulnerability of passwords. One of the links is to this interesting and frightening article: http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of -your-passwords/ The hashes in this cracking test were made with plain old MD5, but even ignoring that, it's a sobering reminder of the progress in guessing and cracking hashed passwords. I was surprised to learn that salting the hashes doesn't offer much defence. I was amazed that they were using GPUs for hashing and a graph shows that they're faster than CPUs ... is that possible? After this I think the lessons are: * Schneier suggests you make passwords out of pieces of words and sentences to avoid predictable formats. * Use a more recent and computationally intensive hasher. * Don't let anyone steal your hashes. * Don't store the whole hash (I learned in Russinovich's book that msv1_0 http://dll.paretologic.com/detail.php/msv1_0 .dll only stores half a user's hash in the registry). Greg K
RE: [OT] Password hash cracking
I used to use Password Safe and there's a pretty good .Net implementation of the password store reader on CodeProjecthttp://www.codeproject.com/Articles/20892/Password-Safe-Database-Reader-Library-in-C-for-NET if you want to extend its usefulness yourself. That said, I now use Keepass and have no regrets: http://keepass.info/ It's also open source but has a much more active dev community around it than SPS, the downloads page has ports to virtually any platform you could possibly want, and there's a well-designed plugin system which lets you do things like near transparently replace the Firefox or Chrome saved password functionality with Keepass. I run a portable instance in a TrueCrypt disk saved on Dropbox so I have online sync without the usual concerns. From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On Behalf Of ILT (O) Sent: Monday, 24 March 2014 12:23 PM To: 'ozDotNet' Subject: RE: [OT] Password hash cracking Grant, re Password Safe (etc) - I was using RoboForm on $9.95 a year and they have just released a version for Windows Phone 8, but I have let it lapse. I would rather back up my pw database to OneDrive than have RoboForm manage it at their site, for some reason. Have you see any comparison of Password Safe with RoboForm? It seems the Password Safe Sourceforge dev project isn't interested in a WP8 version. I would like to use the same application across the different platforms. Ian Thomas Victoria Park, Western Australia From: ozdotnet-boun...@ozdotnet.commailto:ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On Behalf Of Grant Maw Sent: Monday, March 24, 2014 8:08 AM To: ozDotNet Subject: Re: [OT] Password hash cracking Or, just use Schneier's Password Safe program and let it generate all your passwords for you. I've been using it for years and I swear by it. I have hundreds of passwords stored in it's files and they're all long and very complex. http://passwordsafe.sourceforge.net/ On 22 March 2014 16:08, Greg Keogh g...@mira.netmailto:g...@mira.net wrote: Folks, in Bruce Schneier's latest newsletterhttps://www.schneier.com/crypto-gram-1403.html there is a section at the end where he discusses the vulnerability of passwords. One of the links is to this interesting and frightening article: http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/ The hashes in this cracking test were made with plain old MD5, but even ignoring that, it's a sobering reminder of the progress in guessing and cracking hashed passwords. I was surprised to learn that salting the hashes doesn't offer much defence. I was amazed that they were using GPUs for hashing and a graph shows that they're faster than CPUs ... is that possible? After this I think the lessons are: * Schneier suggests you make passwords out of pieces of words and sentences to avoid predictable formats. * Use a more recent and computationally intensive hasher. * Don't let anyone steal your hashes. * Don't store the whole hash (I learned in Russinovich's book that msv1_0http://dll.paretologic.com/detail.php/msv1_0.dll only stores half a user's hash in the registry). Greg K Click herehttps://www.mailcontrol.com/sr/MZbqvYs5QwJvpeaetUwhCQ== to report this email as spam. This message has been scanned for malware by Websense. www.websense.com
RE: [OT] Password hash cracking
Nathan, I had never considered Keepass though have seen it discussed etc for years. I have often used TrueCrypt USB 'disks' (sticks) when travelling, I guess what you're doing with a TrueCrypt file on Dropbox is much the same. I would like to see this a bit more automatic as a backup for password database, though. Is anyone using 7Pass? (The WP7 version of Keepass, for which it seems v3.6 is OK for WP7.8 and WP8 - ?) _ Ian Thomas Victoria Park, Western Australia From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On Behalf Of Nathan Chere Sent: Monday, March 24, 2014 9:29 AM To: ozDotNet Subject: RE: [OT] Password hash cracking I used to use Password Safe and there's a pretty good .Net implementation of the password store reader on CodeProject http://www.codeproject.com/Articles/20892/Password-Safe-Database-Reader-Lib rary-in-C-for-NET if you want to extend its usefulness yourself. That said, I now use Keepass and have no regrets: http://keepass.info/ It's also open source but has a much more active dev community around it than SPS, the downloads page has ports to virtually any platform you could possibly want, and there's a well-designed plugin system which lets you do things like near transparently replace the Firefox or Chrome saved password functionality with Keepass. I run a portable instance in a TrueCrypt disk saved on Dropbox so I have online sync without the usual concerns. From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On Behalf Of ILT (O) Sent: Monday, 24 March 2014 12:23 PM To: 'ozDotNet' Subject: RE: [OT] Password hash cracking Grant, re Password Safe (etc) - I was using RoboForm on $9.95 a year and they have just released a version for Windows Phone 8, but I have let it lapse. I would rather back up my pw database to OneDrive than have RoboForm manage it at their site, for some reason. Have you see any comparison of Password Safe with RoboForm? It seems the Password Safe Sourceforge dev project isn't interested in a WP8 version. I would like to use the same application across the different platforms. _ Ian Thomas Victoria Park, Western Australia From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On Behalf Of Grant Maw Sent: Monday, March 24, 2014 8:08 AM To: ozDotNet Subject: Re: [OT] Password hash cracking Or, just use Schneier's Password Safe program and let it generate all your passwords for you. I've been using it for years and I swear by it. I have hundreds of passwords stored in it's files and they're all long and very complex. http://passwordsafe.sourceforge.net/ On 22 March 2014 16:08, Greg Keogh g...@mira.net wrote: Folks, in Bruce Schneier's latest newsletter https://www.schneier.com/crypto-gram-1403.html there is a section at the end where he discusses the vulnerability of passwords. One of the links is to this interesting and frightening article: http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of -your-passwords/ The hashes in this cracking test were made with plain old MD5, but even ignoring that, it's a sobering reminder of the progress in guessing and cracking hashed passwords. I was surprised to learn that salting the hashes doesn't offer much defence. I was amazed that they were using GPUs for hashing and a graph shows that they're faster than CPUs ... is that possible? After this I think the lessons are: * Schneier suggests you make passwords out of pieces of words and sentences to avoid predictable formats. * Use a more recent and computationally intensive hasher. * Don't let anyone steal your hashes. * Don't store the whole hash (I learned in Russinovich's book that msv1_0 http://dll.paretologic.com/detail.php/msv1_0 .dll only stores half a user's hash in the registry). Greg K Click here https://www.mailcontrol.com/sr/MZbqvYs5QwJvpeaetUwhCQ== to report this email as spam. This message has been scanned for malware by Websense. http://www.websense.com/ www.websense.com
Re: [OT] Password hash cracking
Ian I use Password Safe on Windows 8 but not on a phone, and you are right they don't seem interested in a WP8 version. Sorry, I've not seen any comparisons between PWSafe and others. I've been using PWSafe since its very early versions and never bothered looking elsewhere. G On 24 March 2014 11:23, ILT (O) il.tho...@outlook.com wrote: Grant, re Password Safe (etc) - I was using RoboForm on $9.95 a year and they have just released a version for Windows Phone 8, but I have let it lapse. I would rather back up my pw database to OneDrive than have RoboForm manage it at their site, for some reason. Have you see any comparison of Password Safe with RoboForm? It seems the Password Safe Sourceforge dev project isn't interested in a WP8 version. I would like to use the same application across the different platforms. -- Ian Thomas Victoria Park, Western Australia *From:* ozdotnet-boun...@ozdotnet.com [mailto: ozdotnet-boun...@ozdotnet.com] *On Behalf Of *Grant Maw *Sent:* Monday, March 24, 2014 8:08 AM *To:* ozDotNet *Subject:* Re: [OT] Password hash cracking Or, just use Schneier's Password Safe program and let it generate all your passwords for you. I've been using it for years and I swear by it. I have hundreds of passwords stored in it's files and they're all long and very complex. http://passwordsafe.sourceforge.net/ On 22 March 2014 16:08, Greg Keogh g...@mira.net wrote: Folks, in Bruce Schneier's latest newsletterhttps://www.schneier.com/crypto-gram-1403.htmlthere is a section at the end where he discusses the vulnerability of passwords. One of the links is to this interesting and frightening article: http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/ The hashes in this cracking test were made with plain old MD5, but even ignoring that, it's a sobering reminder of the progress in guessing and cracking hashed passwords. I was surprised to learn that salting the hashes doesn't offer much defence. I was amazed that they were using GPUs for hashing and a graph shows that they're faster than CPUs ... is that possible? After this I think the lessons are: * Schneier suggests you make passwords out of pieces of words and sentences to avoid predictable formats. * Use a more recent and computationally intensive hasher. * Don't let anyone steal your hashes. * Don't store the whole hash (I learned in Russinovich's book that msv1_0http://dll.paretologic.com/detail.php/msv1_0.dll only stores half a user's hash in the registry). *Greg K*
RE: [OT] Password hash cracking
OK, I'm way off-topic here with the WP tangent anyway. What I did find lately was a WP8 [1] and Windows 8 / Windows RT [2] password management application written by Ginny Caughey, called Password Padlock (there's also another of that same name, written by a NZ dev). [1 http://www.windowsphone.com/en-us/store/app/password-padlock/edbf1d8f-7ad5- df11-a844-00237de2db9e ] [2 http://apps.microsoft.com/windows/en/app/password-padlock/de8a7dc4-beb3-4d4 d-8b00-def5cc6a1182/m/ROW ] _ Ian Thomas Victoria Park, Western Australia From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On Behalf Of Grant Maw Sent: Monday, March 24, 2014 10:48 AM To: ozDotNet Subject: Re: [OT] Password hash cracking Ian I use Password Safe on Windows 8 but not on a phone, and you are right they don't seem interested in a WP8 version. Sorry, I've not seen any comparisons between PWSafe and others. I've been using PWSafe since its very early versions and never bothered looking elsewhere. G On 24 March 2014 11:23, ILT (O) il.tho...@outlook.com wrote: Grant, re Password Safe (etc) - I was using RoboForm on $9.95 a year and they have just released a version for Windows Phone 8, but I have let it lapse. I would rather back up my pw database to OneDrive than have RoboForm manage it at their site, for some reason. Have you see any comparison of Password Safe with RoboForm? It seems the Password Safe Sourceforge dev project isn't interested in a WP8 version. I would like to use the same application across the different platforms. _ Ian Thomas Victoria Park, Western Australia From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On Behalf Of Grant Maw Sent: Monday, March 24, 2014 8:08 AM To: ozDotNet Subject: Re: [OT] Password hash cracking Or, just use Schneier's Password Safe program and let it generate all your passwords for you. I've been using it for years and I swear by it. I have hundreds of passwords stored in it's files and they're all long and very complex. http://passwordsafe.sourceforge.net/ On 22 March 2014 16:08, Greg Keogh g...@mira.net wrote: Folks, in Bruce Schneier's latest newsletter https://www.schneier.com/crypto-gram-1403.html there is a section at the end where he discusses the vulnerability of passwords. One of the links is to this interesting and frightening article: http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of -your-passwords/ The hashes in this cracking test were made with plain old MD5, but even ignoring that, it's a sobering reminder of the progress in guessing and cracking hashed passwords. I was surprised to learn that salting the hashes doesn't offer much defence. I was amazed that they were using GPUs for hashing and a graph shows that they're faster than CPUs ... is that possible? After this I think the lessons are: * Schneier suggests you make passwords out of pieces of words and sentences to avoid predictable formats. * Use a more recent and computationally intensive hasher. * Don't let anyone steal your hashes. * Don't store the whole hash (I learned in Russinovich's book that msv1_0 http://dll.paretologic.com/detail.php/msv1_0 .dll only stores half a user's hash in the registry). Greg K
RE: [OT] Password hash cracking
What I do with TrueCrypt+Dropbox+Keepass isn't intended for convenience. If you want automatic backup: Backup Synchronization IO Another Backup Pluginhttp://keepass.info/plugins.html#abp [http://keepass.info/images/plg1xyes.png] Automatically backs up databases. DB_Backuphttp://keepass.info/plugins.html#dbbackup [http://keepass.info/images/plg1xyes.png] Creates backups of databases. DataBaseBackuphttp://keepass.info/plugins.html#databasebackup [http://keepass.info/images/plg2xint.png] Creates backups of databases. IOProtocolExthttp://keepass.info/plugins.html#ioprotocolext [http://keepass.info/images/plg2xint.png] Adds support for SCP, SFTP and FTPS. KeeCloudhttp://keepass.info/plugins.html#keecloud [http://keepass.info/images/plg2xint.png] Adds support for online storage providers. KeePassSynchttp://keepass.info/plugins.html#keepasssync [http://keepass.info/images/plg2xint.png] Synchronize using online storage providers. KeePass Google Synchttp://keepass.info/plugins.html#kpgsync [http://keepass.info/images/plg2xint.png] Synchronize using Google Drive. KPDataSave (Dropbox)http://keepass.info/plugins.html#kpdatasave [http://keepass.info/images/plg2xint.png] Save your database in Dropbox. (from http://keepass.info/plugins.html) As far as I'm aware the plugins for Dropbox and Google Drive are the most popular sync ones, and if you're not being as paranoid as I am you don't need the portable install or TrueCrypt. Just let it sync between your various installs and devices and forget about it. Cheers, Nathan Chere - Software Developer (.NET) SAI Global Property | www.saiglobal.com/propertyhttp://www.saiglobal.com/property From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On Behalf Of ILT (O) Sent: Monday, 24 March 2014 1:20 PM To: 'ozDotNet' Subject: RE: [OT] Password hash cracking Nathan, I had never considered Keepass though have seen it discussed etc for years. I have often used TrueCrypt USB 'disks' (sticks) when travelling, I guess what you're doing with a TrueCrypt file on Dropbox is much the same. I would like to see this a bit more automatic as a backup for password database, though. Is anyone using 7Pass? (The WP7 version of Keepass, for which it seems v3.6 is OK for WP7.8 and WP8 - ?) Ian Thomas Victoria Park, Western Australia From: ozdotnet-boun...@ozdotnet.commailto:ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On Behalf Of Nathan Chere Sent: Monday, March 24, 2014 9:29 AM To: ozDotNet Subject: RE: [OT] Password hash cracking I used to use Password Safe and there's a pretty good .Net implementation of the password store reader on CodeProjecthttp://www.codeproject.com/Articles/20892/Password-Safe-Database-Reader-Library-in-C-for-NET if you want to extend its usefulness yourself. That said, I now use Keepass and have no regrets: http://keepass.info/ It's also open source but has a much more active dev community around it than SPS, the downloads page has ports to virtually any platform you could possibly want, and there's a well-designed plugin system which lets you do things like near transparently replace the Firefox or Chrome saved password functionality with Keepass. I run a portable instance in a TrueCrypt disk saved on Dropbox so I have online sync without the usual concerns. From: ozdotnet-boun...@ozdotnet.commailto:ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On Behalf Of ILT (O) Sent: Monday, 24 March 2014 12:23 PM To: 'ozDotNet' Subject: RE: [OT] Password hash cracking Grant, re Password Safe (etc) - I was using RoboForm on $9.95 a year and they have just released a version for Windows Phone 8, but I have let it lapse. I would rather back up my pw database to OneDrive than have RoboForm manage it at their site, for some reason. Have you see any comparison of Password Safe with RoboForm? It seems the Password Safe Sourceforge dev project isn't interested in a WP8 version. I would like to use the same application across the different platforms. Ian Thomas Victoria Park, Western Australia From: ozdotnet-boun...@ozdotnet.commailto:ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On Behalf Of Grant Maw Sent: Monday, March 24, 2014 8:08 AM To: ozDotNet Subject: Re: [OT] Password hash cracking Or, just use Schneier's Password Safe program and let it generate all your passwords for you. I've been using it for years and I swear by it. I have hundreds of passwords stored in it's files and they're all long and very complex. http://passwordsafe.sourceforge.net/ On 22 March 2014 16:08, Greg Keogh g...@mira.netmailto:g...@mira.net wrote: Folks, in Bruce Schneier's latest newsletterhttps://www.schneier.com/crypto-gram-1403.html there is a section at the end where he discusses the vulnerability of passwords. One of the links is to this interesting and frightening article:
Re: [OT] Password hash cracking
Greg, did you follow up on the (promised) article in arstechnica on how to do it properly? I couldn't find one ... Not yet, I got distracted by paid work! I'm still think about a password minder, but I've never looked at them before. Do you cut-and-paste passwords from the minder into the page or app? Does it do that automatically by some magic? Some dialog boxes won't accept a pasted password (the domain login elevation for example). I'll look at the issue when I get some spare time on the weekend -- *Greg*