Thanks for all the responses everyone! But, isn't the point of BKDF2-HMAC-SHA1 in 1Password that it's a 320 bit key, that he reduced down to only 160 bits? Unless I'm totally missing something here, it doesn't much matter if the password you are attacking is 6, or 7, or 8 or 50 characters long, you'll still need to attack all 160 bits, right? (Ignoring rainbow tables, or hashing on password dictionaries, etc., in other words, just brute force cracking). Am I being stupid?