#320 Google+, Samsung 4G Hotspot, Auditri, YouSendIt, Entropy, Salting Hashes

More on Google+ and how I was wrong about photo sharing, don’t buy the Samsung 4G LTE Mobile Hotspot, plans for a Novatel 4G hotspot, and Ken Wolf’s review of Auditri from mauriciosantos.net to convert AAC files to mp3. In Dumb Question Corner Sandy asks what qualifies as an “authorized computer” to share a Lion download, and Allister Jenks asks for services to send large files now that iDisk is on the chopping block and I suggest Dropbox and YouSendIt. In Chit Chat Across the Pond Bart corrects me in my correction of Steve Gibson his use of the word entropy with passwords, and neither of us give on our positions, so Bart explains salting your hashes in security.

Hi this is Allison Sheridan of the NosillaCast Mac Podcast, hosted at Podfeet.com, a technology geek podcast with an EVER so slight Macintosh bias. Today is Sunday July 10th, 2011 and this is show number 320.

Google+

You’ve probably been hearing a lot about Google+ in the last week, and there’s a reason for that – it’s pretty cool. I gave you my first impressions about it on the last show, but after using it for a week I want to give you a bit more information. Last week I said that I was worried photos wouldn’t be any good because you could only use Picasa web albums, and there was no way to tag like in Facebook. I couldn’t have been more wrong. Turns out doing photo albums is too easy. All you do is drag photos from whatever application they’re in or your desktop right into a post on Google+, and an album is magically created. no browse to photos nonsense here. When you click on a photo, you can tag it, make a comment, all the good stuff.

I’m finding that I’m checking Google+ even more than I’m checking Twitter, and that’s saying something. I’m sure it’s because it’s the new shiny toy, but I can say Facebook is really slipping for me. Here’s an interesting measure – there are more people in my NosillaCastaways Circle than have joined the NosillaCast Facebook group, and it’s been up three times as long. Now to be honest, you voluntarily sign up for the Facebook group. You get to be in the NosillaCast Circle on Google+ if you put me in a circle first and I see that you’ve also included people like Victor Cajiao, Katie Floyd and Ken Ray, then you get into my NosillaCastaways Circle.

I mentioned last week that Google+ has a feature called Hangout where you can video chat with up to 10 people. Basically you start a Hangout, you can invite specific people or one ore more circles of people. I’m not exactly sure how they get notified, I think you have to be just sitting there at your browser watching the stream to notice someone opening a Hangout. Anywho, I was REALLY frustrated because I simply was unable to start or attend a Hangout, every time I tried I got immediately kicked out with an error telling me that my Google Chat Plugin had bombed out and would I like to report it. Finally today I searched for how to UNinstall the plugin, found the uninstaller buried deep in the system level Library/Application Support folder (which is a nutty place for it IMHO). Once I uninstalled, I tried starting a hangout which triggered the reinstall of the plugin and it fixed the problem. Steve and I started a plugin, and before long we were chatting away with Jenna Duffy, Mark Dalton, Paul Shadwell, Andy McCaskey and Kevin Allder. We had great fun, Andy hadn’t met the rest of the gang before so we enjoyed getting to know each other a bit better. I took a screen shot where Mark was showing us a cool LED lighting attachment and put that in the shownotes.

One thing to note is that whoever is talking gets a big video on screen and the others are in a small row underneath. However you can simply click on someone and keep their video big, which is what I did during Mark’s demo. We also experimented with the built in chat, which worked brilliantly by making a little ringing noise so you knew to look at it. That did throw Andy for a loop at first – it was his second day in Google+ and he thought maybe his gmail was sending him a message. There’s another odd feature to the live video chat called Hangout, you can play a Youtube video for everyone to watch. I use the term “everyone” loosely because we got very inconsistent behavior. If I shared a video, each person had to click to watch it, but not everyone got the request to permit watching so they never got to see it.

Another problem was that if you try to switch your camera during a session, which it lets you do, you’re immediately kicked out of the Hangout. That was kind of lame. We do need to keep in mind how young this is, and think about how well it’s working in spite that. If you’re not in Google+ yet, it’s worth taking a look at it – if you need an invite just shoot me an email and I’ll get you in. Invites aren’t too hard to get but If I can help, I’d be glad to.

Smile

Every week when I start working on the podcast for the new week, I create a new snippet in TextExpander. I do a LOT of image insertion into the shownotes, and every single html link must have the following in it: https://podfeet.com/NosillaCast/. That’s boring to type, and error prone for sure, and it saves me 26 characters for EVERY image I insert. Throughout the week it’s just an instinct to add the subject of the week to TextExpander too – like I type g p ; to get Google+, mostly because it’s annoying to have to type the +. Later in the show today I’ll be talking about Dropbox, and of course thats d b ; . I only save 4 characters on that one, but I wrote Dropbox 13 times in the article so I saved 52 characters on that one word! That’s nearly a minute for one word in one article. You may think you don’t need TextExpander, but you really would find it amazing for time saving, repetitive stress saving, and it’s just fun to hear that little pop when it fills in a word or even a complex phrase for you. I can’t stand typing on a Mac that doesn’t have TextExpander on it – lucky for us TextExpander even supports Dropbox syncing (there’s 4 more characters saved) so you can have all your snippets stored on all your Macs. If you’re a slider, you can get the parallel product for Windows called Breevy from 16software.com and sync snippets back and forth between it and TextExpander through Dropbox. I really hope you’ll go over to smilesoftware.com and check out the free trial, try out their other great products, and be sure to tell them you heard about it on the NosillaCast. (I have a snippet for NosillaCast too. and NosillaCastaways…)

Samsung 4G LTE Mobile Hotspot

Have you ever really wanted to love a gadget but it just misses the mark so you can’t recommend it? that’s the way I feel about the Samsung 4G LTE Mobile Hotspot. You’ve heard me talk for years about the Verizon Mifi 2200. It’s a tiny little device about the size of two credit cards in thickness that receives a 3G cell signal and then spits it back out as a wifi signal. It’s been one of the best devices I’ve ever had giving me internet access for PCs and Macs and iPhones anywhere I could get a 3G signal.

But then I got tempted, I heard there were 4G devices out there. I got a a Samsung 4G LTE Mobile Hotspot. It’s got everything the original Mifi had but at incredible speeds. My first speed test showed 15mpbs down…AND UP. Seriously. I thought it was a fluke, but whenever that green light was on showing 4G I’d get that kind of speeds.

But. Sometimes I get 4G, sometimes I don’t…in the exact same location. That was weird. But that’s not the bad part. The first Samsung hotspot I got would simply not hold a wifi signal. It would be showing 4G just fine, but would drop the wifi connection. What a big tease is that? So I returned it and got a replacement unit. The new one connects to 4G (consistently at least in the same place) but after say an hour, or less, it will simply lose the connection entirely. I have to keep kick starting it to keep it going. I’ve only used it once without having it plugged into USB, because the battery lasted a grand total of 40 minutes. I hoped it was a fluke, but tested again, and got 40 min. I can live with that on my Mac or PC since I can just plug it in, but if I needed it for the iPad that sure wouldn’t work for me. The old miff worked for 4 hours – I’d rather have 4 hours of 1mbps than 40 min of 15mbps!

I love the wicked fast speed as much as the next guy but the Samsung 4G LTE Mobile Hotspot is not a device I can recommend. The good news is I’m sending that one back too and getting the Novatel version to test. Even if it’s as wonky as the Samsung, it has one feature the other units I’ve tested lack, and that’s a battery indicator! That would be really helpful. Stay tuned – hopefully there’s a 4G unit out there that can meet our requirements.

Ken Wolf’s Review of Auditri

Hi Allison, This is Ken Wolf from Manhattan Repertory Theatre in New York City with a review of an audio converter called Auditri. This application saved my proverbial bum, and it made me look really smart. I like that.

Let’s start with the problem that needed to be solved. This past July 4th weekend, we visited my girlfriend Jen’s parents for the holiday. They had just recently leased a BRAND NEW CADILLAC ESCALADE which is an awesome, awesome vehicle. It has a 403 Horse Power 6.2 liter Vortec V8 VVT Engine. It has these crazy Xeon Hi – Density Discharge Lights and Wild Halogen Fog lamps, Hydramatic 6 – Speed Automatic Transmission with Driver Shift control, a TRI-ZONE automatic climate control and believe it or not, Allison, it has a REFRIGERATOR in the glove compartment to keep drinks cold and sandwiches fresh. It has A REFRIGERATOR!!!! Awesome!

Now it also has a BOSE 5.1 Surround Sound system which sounds INCREDIBLE, but sort of like your Acura from this past weeks podcast – there is no adapter for IPOD. Nothing. What? This is a 2011 vehicle. NO IPOD adapter. Whoa Whoa Whoa Whoa Whoa! Wait a second! This is what it has. This is unbelievable. It has a usb hub so you can put your music on a FLASH DRIVE. Wait a second!!

Well, my girlfriend’s father is a wonderful guy, but not that tech savvy so he asked me if I would put some music on a flash drive that he just bought recently for the car. I said sure. NOT LETTING HIM KNOW HOW CRAZY INCENSED I was that there was NO IPOD adapter. I figured setting up the flash drive would make me look really good to him and the family. And heck, who knows, he may be my Father – in – Law one day.

A number of years ago, we bought an Imac for Jen’s parents, and at the time, they bought a whole bunch of music through ITunes so I copied about 150 tracks hand-picked by Jen’s Dad on to the Flash Drive. I ejected it and then ran to the Escalade and plugged it into the USB hub. Turned the BOSE surround sound system on, switched to the AUX button, and…. nothing happened. The system failed to recognize the files. WHAT?

So I checked the manual. The FLASH DRIVE PLAYER only played mp3 files. Mp3 files are so yesterday. This BRAND NEW CADILLAC ESCALADE FLASH DRIVE BOSE 5.1 SURROUND SOUND SYSTEM didn’t register or acknowledge AAC audio files! Whoa! Whoa! What a second. AAC files are what are downloaded from Itunes today.

SO HERE IS THE PROBLEM THAT HAD TO BE SOLVED! Was there someway to convert the AAC files to mp3s so I could save the day, and look super geeky cool to my girlfriends family?

So I ran to the IMAC which was still running TIGER. ITunes could not convert AAC files to mp3s. Oy!

So thankfully, I brought my Mac Book Pro with me that was running Snow Leopard. I opened ITUNES and UGH, there was no way that I could find to convert AAC files to mp3s. Man, this was going to be humiliating. I had to solve this one.

So I got on the Mac Appstore and I found an inexpensive audio converter called Auditri created by a developer named Mauricio Santos and it worked like a charm. Auditri effortlessly and quickly converts AAC, MP3, WMA, Ogg Vorbis, Apple Lossless, FLAC, AIF, and WAVE files to AAC, MP3, WMA, Ogg Vorbis, Apple Lossless, FLAC, AIF, or WAVE files or any combination thereof. I simply dragged the AAC files into the simple interface, from the drop down menu chose mp3, pressed a little round button that said START and minutes later the files were converted to mp3s and placed in the folder of my choice, which I then copied to the CAR FLASH DRIVE. And the files played like a dream. And I looked GEEKY COOL to my girlfriends parents. YES!

We love it when technology works. And the good news is Auditri is only $3.99 cents from the Mac APP store. 4 bucks to look GEEKY COOL. So check out Auditri. It is simple, cheap and it works.

Now it is probably best to wait another year for the Cadillac Escalade. Driving around with a FLASH DRIVE for an IPOD is so not GEEKY COOL.

This is Ken Wolf from Manhattan Repertory Theatre in NEW YORK CITY. In theatre, as with the Mac, PLAY IS THE THING!

===================
What a great story Ken! I guess I don’t feel so bad that my 6 year old Acura didn’t come with an iPod adapter if a brand new Cadillac didn’t either! this sounds like a very cool tool, sounds like it solved your problem precisely. I hate to tell you this, but iTunes CAN convert files from AAC to MP3, but I’m guessing not nearly as elegantly as Auditri.

This is a tricky step and not in the least bit obvious. Open up iTunes, Open Preferences, and stay on the General Tab. Down towards the bottom you’ll see a section talking about what to do when you insert a CD. Of COURSE you’d look there if you’re trying to convert AAC into MP3! I can’t believe you missed it.

Next to that it says Import Settings. click that and you’ll see the options to change how CD’s are imported. if you’re an audiophile, you want to keep this set to some extreme conditions like the Apple Lossless Encoder, but since I use it ONLY to convert uncompressed AIFF audio to compressed audio, I keep mine set to MP3 encoder and I set the details to a low bit rate. Again I keep it in a different condition than someone who really cares.

Oh wait, this wasn’t about me. Here you are with your AAC files in iTunes, you want to set this to MP3 and set the details to something high quality. Once you have this set up to how you want the files to be in the end, say OK a couple of times. Now right-click once on an AAC file you want to convert to MP3. You SHOULD see in the list of options, “create MP3 version”. If it says anything else, like create Apple Lossless, then you missed one of the earlier steps I described – go through them again until create MP3 shows up here. Now it will create a duplicate file in the MP3 format.

While I was playing this for the live chat room, Mark Greentree, aka everydaymacsupport pointed out that you can actually put an iPod into disk mode and plug it right in via USB to the Escalade!

Now I thought at first that I’d be very clever pointing this out to you, that you clearly have money to burn if you have $3 to waste like that…until I wrote up this explanation and realized that at minimum wage, you’d probably spend about $40 doing what I described! So I’m backing your recommendation for Auditri from mauriciosantos.net/.

ScreenSteps

I never thought of myself as a teacher during my career, but one product has brought out that inner desire for me, and it’s called ScreenSteps. I have always loved to share what I know but it was never in a form that actually helped the person. It was fun to tell them I knew how to do something, but to teach them was always tedious, and they’d forget what I told them and then I’d be impatient with them the 2nd and 3rd time. When I first started using ScreenSteps I found myself actually WANTING to document things so I could share them out and make people only ask me a question once. Even if you’re the kind of person who doesn’t like to help others, this might be just what you’re looking for because people stop bothering you when you give them great instructions. Worst case you just keep mailing them the PDF instructions you created when they forget you already told them.

I’ve probably created more than a hundreds lessons over the past year and people love them. This week during Chit Chat Across the Pond you’ll hear about more than one person telling me something I didn’t know – and two of them were kind enough to include ScreenSteps directions on how to do it! one person even used the free service ScreenSteps.me, which gives you free web storage and a url to mail people so you don’t even have to mail them a PDF, all they have to do is click a link. You get all of this for $40 for the Standard version and when you realize you love to teach too, you can jump up to the Pro version for $40 more. If you do this for work, $80 is chump change. You can even share ScreenSteps package files if you share training responsibilities with other people at work.

You can download a free trial at ScreenSteps.com and be sure to tell them you heard about it on the NosillaCast!

Dumb Question Corner

Sandy wrote in:

Hi Allison, I have a question — one I think truly qualifies for Dumb Question Corner. I’m hearing that we’ll be able to install Lion on all of our “authorized” computers with a single purchase in the Mac App Store. Okay, so what qualifies as an “authorized” computer?

For example, I have a MacBook Pro registered in my name, and my husband has a MacBook registered in his own name. Is there some way to make them both authorized for this, or am I going to have to buy Lion twice for our two computers?

Thanks — yours is my favorite tech podcast! Sandy

Aren’t you nice Sandy! thanks!

I think what really matters here is that you authorize each computer to use one Apple ID. The Mac App Store allows you to log in and out of the app store using different accounts at will. So let’s say you log into the MAS as Sandy, and then buy Lion. Then Mike goes to his Mac and launches the MAS, he’s probably logged in as himself. If he does a search for Lion, it will say “buy” next to it.

But if he logs out, logs in with your credentials, now when he looks at Lion in the store, instead of saying “buy” it will have changed to “install” and no charge will be incurred when he does this. It may ask him to verify the security code the credit card you have connected to your Apple ID because this new computer hasn’t been associated to this account before. I think that only happens the first time. In this way you can actually share apps on iPhones, iPads, etc. as well as Macs.

Isn’t it marvelous that we use an operating system where we’re trying to figure out how to pay $15/machine instead of $30…when the competition sells their operating system for $200 per license?

Here’s another “dumb” question from Allister Jenks. He asks:

Hi Allison – You may know the answer to this but I bet many of your listeners will have answers too. I would appreciate if you could ask on air.

My brother is a graphic designer and he often needs to send large files to clients securely. To date he has been using iDisk (which I am personally not familiar with). With iDisk on the chopping block, he’s looking for alternatives. He needs to be able to send large files (hundreds of megabytes in size) to specific clients with strong enough security to protect commercially sensitive information within. He cannot rely on the clients installing any software as many are inside large corporations where such activity is often blocked.

In a nutshell I think he needs a trustworthy web service which will deliver a file through a link, which requires a password to access. I know such services exist but have no idea how well any of them work, so am looking for recommendations.

Any suggestions welcomed. Thanks, Allister

The great news, Allister is that there are actually some good alternatives out there. The first two that come to mind are Dropbox and YouSendIt. With both I think you will want to advise him to encrypt whatever he sends through either service because you pretty much have to assume everything is crackable/hackable and if you really want it protected, encrypting it on your end first is the only way to go.

Dropbox is an interesting service. You create a free account, then create folders and you share those folders with different people. He can have one folder for each client, and share them directly to only those clients. They show up as regular folders on his machine, but whatever he puts in the shared folder lives in three places: on his own machine, in the cloud on Dropbox’s servers, AND on the client’s machine. If the client then removes it from his/her Dropbox folder, the copies on the cloud and on your friends machine both disappear. For that reason, caution him to always put a copy of the file in Dropbox, not his only version.

Now for the tricky bit – encrypting the files so prying eyes can’t get to them. There’s a great tutorial on iphoneanswers.net (direct link in the shownotes) on how to create an encrypted disk image using Disk Utility that lives in your shared Dropbox folder. Your friend would open the Dropbox folder, open the disk image (enter a password that he has set) and then drop files into the disk when it mounts on his desktop. The client would do the reverse, open the Dropbox folder, mount the disk and pull the files out – as long as he/ she has the password that was attached to the encrypted disk in the first place. I tested this out with Steve, and it works. It’s kinda clumsy, would be easier if you could just encrypt the file itself. I found some links to tools that would do the encryption for you but this was all free.

Dropbox is free for up to 2GB and you can get more space if you’re willing to pay. It’s available at dropbox.com.

Another option people seem to favor is called YouSendIt at yousendit.com. This might be a little bit easier for the clients to grok – you send a file from your email address to theirs (it can be an encrypted disk image) and when they receive the email they just click to download the file. They would still need to enter the password to open the disk image. YouSendIt is also free for up to 2GB and you can pay to have more space.

I’m betting that our listeners have more solutions to offer, I hope you’ll send them in guys if you have favorite services. Let us know why you like them, why they might be preferred over Dropbox or YouSendIt. Hope that helps, Allister.

Chit Chat Across the Pond

Security Lite

• FYI – next Tuesday is Patch Tuesday:http://www.microsoft.com/technet/security/Bulletin/MS11-jul.mspx
• Reports of Un-patched PDF vulnerability in iOS – only protection is to be wary of opening PDFs from untrusted sources on your iPhone/iPad/iPod Touch: http://blog.intego.com/2011/07/07/iphone-pdf-vulnerability-creates-security-risks-allows-easy-jailbreaks/

Follow Up to Albert’s Dumb Q from Last week

Allison – you mocked Steve G for his use of the word entropy, but he was 100% correct in his use the word! It does have a meaning in thermodynamics like you said, but it ALSO has a rigorous meaning in Information Theory, where it’s a measure of randomness!

“Entropy is a measure of disorder, or more precisely unpredictability” –http://en.wikipedia.org/wiki/Entropy_(information_theory)

“Entropy is a thermodynamic property that can be used to determine the energy available for useful work in a thermodynamic process” –http://en.wikipedia.org/wiki/Entropy

If you have a brain for math and really wan to know why the two types of enthropy are not actually as different as you might think, here’s the answer:http://en.wikipedia.org/wiki/Entropy_in_thermodynamics_and_information_theory

BTW – Steve’s big insight is that entropy isn’t what’s important as long as your PW is not in a dictionary, what matters is the size of the search space your password is in, that’s what determines how much brute forcing is needed.

To ACTUALLY answer Albert’s Question 🙂

BTW Bart was NOT the first to race back with an answer:

Rod Simmons, Pat Dengler, BJ Wanlund (who even did a ScreenSteps for me on it), Will P, Connor P and Hecktor Tamez (first ever email to the show) all wrote in to Allison before Bart wrote these show notes

If you have any Mac on a wifi network, you can read the password for it out of your OS X keychain using the Keychain Access app (Applications->Utilities->Keychain Access). Open that app, be sure that the keychain selected is “Login”, and set the category to “All”, then in the search box at the top-right start typing in the SSID (name) of the wifi network you want the key for, it should show up in the list. Double-click on it, then check the checkbox “show password” and enter your login password when prompted for it, then hit “allow”.

Any password you save on your system using the standard OS X mechanisms is saved here, and this file is encrypted (using your login password), keeping the passwords and certificates etc it contains secure even if your laptop is stolen. This is one of the few things that makes Safari better than FireFox or Chrome, it stores your web passwords safely in the Keychain.

Main Topic – Salted Hashes?

Something you often hear people talking about is adding salt to a hash, so what’s that all about?

First, lets remind our selves of what a hash is, it’s a one-way function that turns content of any length into a fixed-length piece of gibberish. The whole point is that these functions are one-way, so it’s easy to turn the original content into a hash, and effectively impossible to go the other way, and get back the original content from the hash. What are they used for? They can be used for error checking, and as part of a digital signature, but as also commonly used as a way of storing passwords without actually storing them. It’s this last context where salt is generally used.

Reminder – how un-salted hashes are used for authentication:

Step 1 – user asked for a password when creating an account

Step 2 – this password is sent to the server when the form is submitted

Step 3 – the server takes that password and hashes it, then ONLY stores the hash

When a person wants to authenticate to the server later, this is what happens:

Step 1 – the user fills in their password on the login form

Step 2 – the password is submitted to the server when the person presses the login button

Step 3 – the server hashes the password it was sent, and then compares it to the hash it saved when the account was set up – if they match, let them in, if not, return an error.

This setup is used all over the net, and the hashing algorithm used is generally one of a small number of common hashing algorithms, MD5 was popular a few years ago, now SHA1 is very popular, and in the future expect to see much more SHA256 and SHA512. Since hashes are one-way functions, this setup seems secure. BUT, there is one avenue of attack open, so-called Rainbow Tables.

What is a Rainbow table? It’s a database of pre-computed hashes. Using the same sort of algorithm to cycle through possible passwords as a password cracker does as input, you calculate the hash for each possible password, and store it in a database along with the pain-text the matches it. This is a very time-consuming process, and the DB generated was, until recent times, prohibitively large, but it only has to be generated ONCE for every hashing algorithm.

Using either distributed computing techniques ala SETI @Home, or massive server farms, you can generate a rainbow table for all possible passwords up to say 20 characters in a reasonably quick time, say a few months or perhaps a year, then, you have your table for ever more! The cost of generating the table is immense, but you don’t have to repeat it, so it’s a worth-while investment for anyone who makes a living hacking things.

And of course, the internet is full of pre-calculated rainbow tables for all the common hashing algorythms, so you don’t even have to calculate your own any more! You can even get open source bootable images like OPH Crack that have rainbow tables in them, and when booted on a system will look through the Windows user database and look up all the hashes in the rainbow table and display the passwords of all users who have logged into that machine. Tools like this are invaluable when you work in IT and people forget their passwords, but they are worrying from a security point of view!

The effect rainbow tables have is to provide a reverse lookup for hashes in a limited case. There is no such thing as a rainbow table for every possible hash, but passwords have a very limited set of possible characters, and a practical length of less than 20, so even if you let them go to 64 characters and be mixed case alpha numeric with symbols, you still have a finite set of possibilities that you can calculate a rainbow table for in a practical amount of time.

So how do you protect your hashed passwords from rainbow tables? You salt your hash!

Up till now we’ve been looking at the simplest form of hashing functions, where you have one input and one output, but the modern hashing functions can, if you wish take TWO inputs, the content to be hashed, and a key, which is generally called a salt. This key will change the outcome of the hash, so if you hash the same password using different salts you get different outputs.

The effect this has is that you need a second rainbow table for every possible salt. Since a salt can be a massive string, and since calculating even one rainbow table takes months, calculating the trillions of rainbow tables for even just the possible salts under 8 characters is utterly impractical, let alone calculating the rainbow tables for all salts up to 256 characters! Also, the storage needs for such a massive array of rainbow tables would be astronomical.

If you are security conscious, then you should set your own random and long salt on your website, so that your password hashes can’t be looked up in a standard rainbow table. You can’t change salts mid-stream though, the salt used when storing the password HAS to be the one used when comparing that password to the one given at account creation. This means that your server has to store the salt it uses or it can’t authenticate people. This makes it likely that any bad guy who hacks into your server and steals your users database will also have the salt. However, to do anything with that salt that would have to generate a custom rainbow table that will ONLY be valid for that one password database. That places a MASSIVE burden on the attacker, and means that only the most well resourced attackers could afford to do such a thing, and even then, only on the most valuable possible targets. For 99.9% of sites on the net, salting your hashes makes your passwords un-economically expensive to crack.

If you wanted to make things REALLY hard for the attackers you could use a separate salt for each user on your system, and store the username, hashed password, and salt for each user. That would mean an attacker would have to generate a separate rainbow table for each and every user on your system!

Oh, and after recording with Bart I read the latest comments on the blog, only to find that Donald Burr had ALSO created a ScreenSteps showing how to find your wifi password in Keychain, and he used screensteps.me. Thanks everyone who stepped in!

That’s going to wind this up for this week, many thanks to our sponsors for helping to pay the bills: ScreenSteps, and Smile. Don’t forget to send in your Dumb Questions, comments and suggestions by emailing me at [email protected], follow me on twitter at twitter.com/podfeet. If you want an invite to Google+ be sure to email me your email address so I can invite you in. If you want to join in the fun of the live show, head on over to podfeet.com/live on Sunday nights at 5pm Pacific Time. Thanks for listening, and stay subscribed.