Re: [OT] Password hash cracking
Or, just use Schneier's Password Safe program and let it generate all your passwords for you. I've been using it for years and I swear by it. I have hundreds of passwords stored in it's files and they're all long and very complex. http://passwordsafe.sourceforge.net/ On 22 March 2014 16:08, Greg Keogh g...@mira.net wrote: Folks, in Bruce Schneier's latest newsletterhttps://www.schneier.com/crypto-gram-1403.htmlthere is a section at the end where he discusses the vulnerability of passwords. One of the links is to this interesting and frightening article: http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/ The hashes in this cracking test were made with plain old MD5, but even ignoring that, it's a sobering reminder of the progress in guessing and cracking hashed passwords. I was surprised to learn that salting the hashes doesn't offer much defence. I was amazed that they were using GPUs for hashing and a graph shows that they're faster than CPUs ... is that possible? After this I think the lessons are: * Schneier suggests you make passwords out of pieces of words and sentences to avoid predictable formats. * Use a more recent and computationally intensive hasher. * Don't let anyone steal your hashes. * Don't store the whole hash (I learned in Russinovich's book that msv1_0http://dll.paretologic.com/detail.php/msv1_0.dll only stores half a user's hash in the registry). *Greg K*
RE: [OT] Password hash cracking
I think there's two separate issues here: a) How, as a user, do you generate good passwords? What's considered good is continually changing - Microsoft (and others) were touting pass phrases not that long ago, and even then it was pretty obvious that attacks would migrate using whole words and mangled words as part of an attack. Even with a tool to generate passwords, do you go back to old site to update your password each time a class of passwords becomes easy game? b) How, as an authentication system, do you safely store the credentials of your user base? What rules do you enforce on the passwords that can be supplied/generated, and once generated, how best to secure these at rest and in transit? I think this is the main question that Greg is asking Greg - sites like Slashdot, routinely cover advances in crypto and attack vectors in a format that non-experts can easily digest. E.g. GPU based attacking has been the norm for some time now. Cheers Ken From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On Behalf Of Grant Maw Sent: Monday, 24 March 2014 11:08 AM To: ozDotNet Subject: Re: [OT] Password hash cracking Or, just use Schneier's Password Safe program and let it generate all your passwords for you. I've been using it for years and I swear by it. I have hundreds of passwords stored in it's files and they're all long and very complex. http://passwordsafe.sourceforge.net/ On 22 March 2014 16:08, Greg Keogh g...@mira.netmailto:g...@mira.net wrote: Folks, in Bruce Schneier's latest newsletterhttps://www.schneier.com/crypto-gram-1403.html there is a section at the end where he discusses the vulnerability of passwords. One of the links is to this interesting and frightening article: http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/ The hashes in this cracking test were made with plain old MD5, but even ignoring that, it's a sobering reminder of the progress in guessing and cracking hashed passwords. I was surprised to learn that salting the hashes doesn't offer much defence. I was amazed that they were using GPUs for hashing and a graph shows that they're faster than CPUs ... is that possible? After this I think the lessons are: * Schneier suggests you make passwords out of pieces of words and sentences to avoid predictable formats. * Use a more recent and computationally intensive hasher. * Don't let anyone steal your hashes. * Don't store the whole hash (I learned in Russinovich's book that msv1_0http://dll.paretologic.com/detail.php/msv1_0.dll only stores half a user's hash in the registry). Greg K
RE: [OT] Password hash cracking
Grant, re Password Safe (etc) - I was using RoboForm on $9.95 a year and they have just released a version for Windows Phone 8, but I have let it lapse. I would rather back up my pw database to OneDrive than have RoboForm manage it at their site, for some reason. Have you see any comparison of Password Safe with RoboForm? It seems the Password Safe Sourceforge dev project isn't interested in a WP8 version. I would like to use the same application across the different platforms. _ Ian Thomas Victoria Park, Western Australia From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On Behalf Of Grant Maw Sent: Monday, March 24, 2014 8:08 AM To: ozDotNet Subject: Re: [OT] Password hash cracking Or, just use Schneier's Password Safe program and let it generate all your passwords for you. I've been using it for years and I swear by it. I have hundreds of passwords stored in it's files and they're all long and very complex. http://passwordsafe.sourceforge.net/ On 22 March 2014 16:08, Greg Keogh g...@mira.net wrote: Folks, in Bruce Schneier's latest newsletter https://www.schneier.com/crypto-gram-1403.html there is a section at the end where he discusses the vulnerability of passwords. One of the links is to this interesting and frightening article: http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of -your-passwords/ The hashes in this cracking test were made with plain old MD5, but even ignoring that, it's a sobering reminder of the progress in guessing and cracking hashed passwords. I was surprised to learn that salting the hashes doesn't offer much defence. I was amazed that they were using GPUs for hashing and a graph shows that they're faster than CPUs ... is that possible? After this I think the lessons are: * Schneier suggests you make passwords out of pieces of words and sentences to avoid predictable formats. * Use a more recent and computationally intensive hasher. * Don't let anyone steal your hashes. * Don't store the whole hash (I learned in Russinovich's book that msv1_0 http://dll.paretologic.com/detail.php/msv1_0 .dll only stores half a user's hash in the registry). Greg K
RE: [OT] Password hash cracking
Greg, did you follow up on the (promised) article in arstechnica on how to do it properly? I couldn't find one . The closest relevant advice (for users) was to use a password minder, but I guess that doesn't help if the visited passworded websites store unsafely. (I see that iiNet pops up a warning when customers have unsafe passwords, and offer to generate a better on using their online tool. I would assume quite a few subscribers to this list work for enterprises that use the better methodologies) _ Ian Thomas Victoria Park, Western Australia From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On Behalf Of Greg Keogh Sent: Saturday, March 22, 2014 2:09 PM To: ozDotNet Subject: [OT] Password hash cracking Folks, in Bruce Schneier's latest newsletter https://www.schneier.com/crypto-gram-1403.html there is a section at the end where he discusses the vulnerability of passwords. One of the links is to this interesting and frightening article: http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of -your-passwords/ The hashes in this cracking test were made with plain old MD5, but even ignoring that, it's a sobering reminder of the progress in guessing and cracking hashed passwords. I was surprised to learn that salting the hashes doesn't offer much defence. I was amazed that they were using GPUs for hashing and a graph shows that they're faster than CPUs ... is that possible? After this I think the lessons are: * Schneier suggests you make passwords out of pieces of words and sentences to avoid predictable formats. * Use a more recent and computationally intensive hasher. * Don't let anyone steal your hashes. * Don't store the whole hash (I learned in Russinovich's book that msv1_0 http://dll.paretologic.com/detail.php/msv1_0 .dll only stores half a user's hash in the registry). Greg K
RE: [OT] Password hash cracking
I used to use Password Safe and there's a pretty good .Net implementation of the password store reader on CodeProjecthttp://www.codeproject.com/Articles/20892/Password-Safe-Database-Reader-Library-in-C-for-NET if you want to extend its usefulness yourself. That said, I now use Keepass and have no regrets: http://keepass.info/ It's also open source but has a much more active dev community around it than SPS, the downloads page has ports to virtually any platform you could possibly want, and there's a well-designed plugin system which lets you do things like near transparently replace the Firefox or Chrome saved password functionality with Keepass. I run a portable instance in a TrueCrypt disk saved on Dropbox so I have online sync without the usual concerns. From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On Behalf Of ILT (O) Sent: Monday, 24 March 2014 12:23 PM To: 'ozDotNet' Subject: RE: [OT] Password hash cracking Grant, re Password Safe (etc) - I was using RoboForm on $9.95 a year and they have just released a version for Windows Phone 8, but I have let it lapse. I would rather back up my pw database to OneDrive than have RoboForm manage it at their site, for some reason. Have you see any comparison of Password Safe with RoboForm? It seems the Password Safe Sourceforge dev project isn't interested in a WP8 version. I would like to use the same application across the different platforms. Ian Thomas Victoria Park, Western Australia From: ozdotnet-boun...@ozdotnet.commailto:ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On Behalf Of Grant Maw Sent: Monday, March 24, 2014 8:08 AM To: ozDotNet Subject: Re: [OT] Password hash cracking Or, just use Schneier's Password Safe program and let it generate all your passwords for you. I've been using it for years and I swear by it. I have hundreds of passwords stored in it's files and they're all long and very complex. http://passwordsafe.sourceforge.net/ On 22 March 2014 16:08, Greg Keogh g...@mira.netmailto:g...@mira.net wrote: Folks, in Bruce Schneier's latest newsletterhttps://www.schneier.com/crypto-gram-1403.html there is a section at the end where he discusses the vulnerability of passwords. One of the links is to this interesting and frightening article: http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/ The hashes in this cracking test were made with plain old MD5, but even ignoring that, it's a sobering reminder of the progress in guessing and cracking hashed passwords. I was surprised to learn that salting the hashes doesn't offer much defence. I was amazed that they were using GPUs for hashing and a graph shows that they're faster than CPUs ... is that possible? After this I think the lessons are: * Schneier suggests you make passwords out of pieces of words and sentences to avoid predictable formats. * Use a more recent and computationally intensive hasher. * Don't let anyone steal your hashes. * Don't store the whole hash (I learned in Russinovich's book that msv1_0http://dll.paretologic.com/detail.php/msv1_0.dll only stores half a user's hash in the registry). Greg K Click herehttps://www.mailcontrol.com/sr/MZbqvYs5QwJvpeaetUwhCQ== to report this email as spam. This message has been scanned for malware by Websense. www.websense.com
RE: [OT] Password hash cracking
Nathan, I had never considered Keepass though have seen it discussed etc for years. I have often used TrueCrypt USB 'disks' (sticks) when travelling, I guess what you're doing with a TrueCrypt file on Dropbox is much the same. I would like to see this a bit more automatic as a backup for password database, though. Is anyone using 7Pass? (The WP7 version of Keepass, for which it seems v3.6 is OK for WP7.8 and WP8 - ?) _ Ian Thomas Victoria Park, Western Australia From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On Behalf Of Nathan Chere Sent: Monday, March 24, 2014 9:29 AM To: ozDotNet Subject: RE: [OT] Password hash cracking I used to use Password Safe and there's a pretty good .Net implementation of the password store reader on CodeProject http://www.codeproject.com/Articles/20892/Password-Safe-Database-Reader-Lib rary-in-C-for-NET if you want to extend its usefulness yourself. That said, I now use Keepass and have no regrets: http://keepass.info/ It's also open source but has a much more active dev community around it than SPS, the downloads page has ports to virtually any platform you could possibly want, and there's a well-designed plugin system which lets you do things like near transparently replace the Firefox or Chrome saved password functionality with Keepass. I run a portable instance in a TrueCrypt disk saved on Dropbox so I have online sync without the usual concerns. From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On Behalf Of ILT (O) Sent: Monday, 24 March 2014 12:23 PM To: 'ozDotNet' Subject: RE: [OT] Password hash cracking Grant, re Password Safe (etc) - I was using RoboForm on $9.95 a year and they have just released a version for Windows Phone 8, but I have let it lapse. I would rather back up my pw database to OneDrive than have RoboForm manage it at their site, for some reason. Have you see any comparison of Password Safe with RoboForm? It seems the Password Safe Sourceforge dev project isn't interested in a WP8 version. I would like to use the same application across the different platforms. _ Ian Thomas Victoria Park, Western Australia From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On Behalf Of Grant Maw Sent: Monday, March 24, 2014 8:08 AM To: ozDotNet Subject: Re: [OT] Password hash cracking Or, just use Schneier's Password Safe program and let it generate all your passwords for you. I've been using it for years and I swear by it. I have hundreds of passwords stored in it's files and they're all long and very complex. http://passwordsafe.sourceforge.net/ On 22 March 2014 16:08, Greg Keogh g...@mira.net wrote: Folks, in Bruce Schneier's latest newsletter https://www.schneier.com/crypto-gram-1403.html there is a section at the end where he discusses the vulnerability of passwords. One of the links is to this interesting and frightening article: http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of -your-passwords/ The hashes in this cracking test were made with plain old MD5, but even ignoring that, it's a sobering reminder of the progress in guessing and cracking hashed passwords. I was surprised to learn that salting the hashes doesn't offer much defence. I was amazed that they were using GPUs for hashing and a graph shows that they're faster than CPUs ... is that possible? After this I think the lessons are: * Schneier suggests you make passwords out of pieces of words and sentences to avoid predictable formats. * Use a more recent and computationally intensive hasher. * Don't let anyone steal your hashes. * Don't store the whole hash (I learned in Russinovich's book that msv1_0 http://dll.paretologic.com/detail.php/msv1_0 .dll only stores half a user's hash in the registry). Greg K Click here https://www.mailcontrol.com/sr/MZbqvYs5QwJvpeaetUwhCQ== to report this email as spam. This message has been scanned for malware by Websense. http://www.websense.com/ www.websense.com
Re: [OT] Password hash cracking
Ian I use Password Safe on Windows 8 but not on a phone, and you are right they don't seem interested in a WP8 version. Sorry, I've not seen any comparisons between PWSafe and others. I've been using PWSafe since its very early versions and never bothered looking elsewhere. G On 24 March 2014 11:23, ILT (O) il.tho...@outlook.com wrote: Grant, re Password Safe (etc) - I was using RoboForm on $9.95 a year and they have just released a version for Windows Phone 8, but I have let it lapse. I would rather back up my pw database to OneDrive than have RoboForm manage it at their site, for some reason. Have you see any comparison of Password Safe with RoboForm? It seems the Password Safe Sourceforge dev project isn't interested in a WP8 version. I would like to use the same application across the different platforms. -- Ian Thomas Victoria Park, Western Australia *From:* ozdotnet-boun...@ozdotnet.com [mailto: ozdotnet-boun...@ozdotnet.com] *On Behalf Of *Grant Maw *Sent:* Monday, March 24, 2014 8:08 AM *To:* ozDotNet *Subject:* Re: [OT] Password hash cracking Or, just use Schneier's Password Safe program and let it generate all your passwords for you. I've been using it for years and I swear by it. I have hundreds of passwords stored in it's files and they're all long and very complex. http://passwordsafe.sourceforge.net/ On 22 March 2014 16:08, Greg Keogh g...@mira.net wrote: Folks, in Bruce Schneier's latest newsletterhttps://www.schneier.com/crypto-gram-1403.htmlthere is a section at the end where he discusses the vulnerability of passwords. One of the links is to this interesting and frightening article: http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/ The hashes in this cracking test were made with plain old MD5, but even ignoring that, it's a sobering reminder of the progress in guessing and cracking hashed passwords. I was surprised to learn that salting the hashes doesn't offer much defence. I was amazed that they were using GPUs for hashing and a graph shows that they're faster than CPUs ... is that possible? After this I think the lessons are: * Schneier suggests you make passwords out of pieces of words and sentences to avoid predictable formats. * Use a more recent and computationally intensive hasher. * Don't let anyone steal your hashes. * Don't store the whole hash (I learned in Russinovich's book that msv1_0http://dll.paretologic.com/detail.php/msv1_0.dll only stores half a user's hash in the registry). *Greg K*
RE: [OT] Password hash cracking
OK, I'm way off-topic here with the WP tangent anyway. What I did find lately was a WP8 [1] and Windows 8 / Windows RT [2] password management application written by Ginny Caughey, called Password Padlock (there's also another of that same name, written by a NZ dev). [1 http://www.windowsphone.com/en-us/store/app/password-padlock/edbf1d8f-7ad5- df11-a844-00237de2db9e ] [2 http://apps.microsoft.com/windows/en/app/password-padlock/de8a7dc4-beb3-4d4 d-8b00-def5cc6a1182/m/ROW ] _ Ian Thomas Victoria Park, Western Australia From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On Behalf Of Grant Maw Sent: Monday, March 24, 2014 10:48 AM To: ozDotNet Subject: Re: [OT] Password hash cracking Ian I use Password Safe on Windows 8 but not on a phone, and you are right they don't seem interested in a WP8 version. Sorry, I've not seen any comparisons between PWSafe and others. I've been using PWSafe since its very early versions and never bothered looking elsewhere. G On 24 March 2014 11:23, ILT (O) il.tho...@outlook.com wrote: Grant, re Password Safe (etc) - I was using RoboForm on $9.95 a year and they have just released a version for Windows Phone 8, but I have let it lapse. I would rather back up my pw database to OneDrive than have RoboForm manage it at their site, for some reason. Have you see any comparison of Password Safe with RoboForm? It seems the Password Safe Sourceforge dev project isn't interested in a WP8 version. I would like to use the same application across the different platforms. _ Ian Thomas Victoria Park, Western Australia From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On Behalf Of Grant Maw Sent: Monday, March 24, 2014 8:08 AM To: ozDotNet Subject: Re: [OT] Password hash cracking Or, just use Schneier's Password Safe program and let it generate all your passwords for you. I've been using it for years and I swear by it. I have hundreds of passwords stored in it's files and they're all long and very complex. http://passwordsafe.sourceforge.net/ On 22 March 2014 16:08, Greg Keogh g...@mira.net wrote: Folks, in Bruce Schneier's latest newsletter https://www.schneier.com/crypto-gram-1403.html there is a section at the end where he discusses the vulnerability of passwords. One of the links is to this interesting and frightening article: http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of -your-passwords/ The hashes in this cracking test were made with plain old MD5, but even ignoring that, it's a sobering reminder of the progress in guessing and cracking hashed passwords. I was surprised to learn that salting the hashes doesn't offer much defence. I was amazed that they were using GPUs for hashing and a graph shows that they're faster than CPUs ... is that possible? After this I think the lessons are: * Schneier suggests you make passwords out of pieces of words and sentences to avoid predictable formats. * Use a more recent and computationally intensive hasher. * Don't let anyone steal your hashes. * Don't store the whole hash (I learned in Russinovich's book that msv1_0 http://dll.paretologic.com/detail.php/msv1_0 .dll only stores half a user's hash in the registry). Greg K
RE: [OT] Password hash cracking
What I do with TrueCrypt+Dropbox+Keepass isn't intended for convenience. If you want automatic backup: Backup Synchronization IO Another Backup Pluginhttp://keepass.info/plugins.html#abp [http://keepass.info/images/plg1xyes.png] Automatically backs up databases. DB_Backuphttp://keepass.info/plugins.html#dbbackup [http://keepass.info/images/plg1xyes.png] Creates backups of databases. DataBaseBackuphttp://keepass.info/plugins.html#databasebackup [http://keepass.info/images/plg2xint.png] Creates backups of databases. IOProtocolExthttp://keepass.info/plugins.html#ioprotocolext [http://keepass.info/images/plg2xint.png] Adds support for SCP, SFTP and FTPS. KeeCloudhttp://keepass.info/plugins.html#keecloud [http://keepass.info/images/plg2xint.png] Adds support for online storage providers. KeePassSynchttp://keepass.info/plugins.html#keepasssync [http://keepass.info/images/plg2xint.png] Synchronize using online storage providers. KeePass Google Synchttp://keepass.info/plugins.html#kpgsync [http://keepass.info/images/plg2xint.png] Synchronize using Google Drive. KPDataSave (Dropbox)http://keepass.info/plugins.html#kpdatasave [http://keepass.info/images/plg2xint.png] Save your database in Dropbox. (from http://keepass.info/plugins.html) As far as I'm aware the plugins for Dropbox and Google Drive are the most popular sync ones, and if you're not being as paranoid as I am you don't need the portable install or TrueCrypt. Just let it sync between your various installs and devices and forget about it. Cheers, Nathan Chere - Software Developer (.NET) SAI Global Property | www.saiglobal.com/propertyhttp://www.saiglobal.com/property From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On Behalf Of ILT (O) Sent: Monday, 24 March 2014 1:20 PM To: 'ozDotNet' Subject: RE: [OT] Password hash cracking Nathan, I had never considered Keepass though have seen it discussed etc for years. I have often used TrueCrypt USB 'disks' (sticks) when travelling, I guess what you're doing with a TrueCrypt file on Dropbox is much the same. I would like to see this a bit more automatic as a backup for password database, though. Is anyone using 7Pass? (The WP7 version of Keepass, for which it seems v3.6 is OK for WP7.8 and WP8 - ?) Ian Thomas Victoria Park, Western Australia From: ozdotnet-boun...@ozdotnet.commailto:ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On Behalf Of Nathan Chere Sent: Monday, March 24, 2014 9:29 AM To: ozDotNet Subject: RE: [OT] Password hash cracking I used to use Password Safe and there's a pretty good .Net implementation of the password store reader on CodeProjecthttp://www.codeproject.com/Articles/20892/Password-Safe-Database-Reader-Library-in-C-for-NET if you want to extend its usefulness yourself. That said, I now use Keepass and have no regrets: http://keepass.info/ It's also open source but has a much more active dev community around it than SPS, the downloads page has ports to virtually any platform you could possibly want, and there's a well-designed plugin system which lets you do things like near transparently replace the Firefox or Chrome saved password functionality with Keepass. I run a portable instance in a TrueCrypt disk saved on Dropbox so I have online sync without the usual concerns. From: ozdotnet-boun...@ozdotnet.commailto:ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On Behalf Of ILT (O) Sent: Monday, 24 March 2014 12:23 PM To: 'ozDotNet' Subject: RE: [OT] Password hash cracking Grant, re Password Safe (etc) - I was using RoboForm on $9.95 a year and they have just released a version for Windows Phone 8, but I have let it lapse. I would rather back up my pw database to OneDrive than have RoboForm manage it at their site, for some reason. Have you see any comparison of Password Safe with RoboForm? It seems the Password Safe Sourceforge dev project isn't interested in a WP8 version. I would like to use the same application across the different platforms. Ian Thomas Victoria Park, Western Australia From: ozdotnet-boun...@ozdotnet.commailto:ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On Behalf Of Grant Maw Sent: Monday, March 24, 2014 8:08 AM To: ozDotNet Subject: Re: [OT] Password hash cracking Or, just use Schneier's Password Safe program and let it generate all your passwords for you. I've been using it for years and I swear by it. I have hundreds of passwords stored in it's files and they're all long and very complex. http://passwordsafe.sourceforge.net/ On 22 March 2014 16:08, Greg Keogh g...@mira.netmailto:g...@mira.net wrote: Folks, in Bruce Schneier's latest newsletterhttps://www.schneier.com/crypto-gram-1403.html there is a section at the end where he discusses the vulnerability of passwords. One of the links is to this interesting and frightening article: http
Re: [OT] Password hash cracking
Greg, did you follow up on the (promised) article in arstechnica on how to do it properly? I couldn't find one ... Not yet, I got distracted by paid work! I'm still think about a password minder, but I've never looked at them before. Do you cut-and-paste passwords from the minder into the page or app? Does it do that automatically by some magic? Some dialog boxes won't accept a pasted password (the domain login elevation for example). I'll look at the issue when I get some spare time on the weekend -- *Greg*
