Cracking passwords using 500GB tables
Most web sites are protected by passwords that have been transformed into long hashes using presumably one-way functions. You enter a password like “cat” and the hashing function translates this into a unique and long string of characters like “FEAFjelaKFJAOWI0382lFKEFKJ…” If you store only the hash (the transformed password) into the database, crackers who read the hash strings still can’t generate the original password because the reverse operation, going from long hash to original password, takes a long long time.
The Register has an article on the use of “rainbow tables”, massive tables of precomputed hashes, to quickly crack passwords encoded using six hash algorithms including web site favorites MD5 and SHA-1. But note that rainbow tables are useless if you use a salt (initialization vector) which appends some known random bytes to the password. If you use a salt, the reverse operation now has to handle two different strings and the operation becomes much more difficult.
Ruby on Rails users: Use salted password modules such as the nice one available with the new Rails engine. It doesn’t make sense to use unsalted passwords when it’s fairly easy to implement the fix.
