On Tue, Jul 23, 2013 at 2:20 PM, Jim Henderson
The data stored in the database (particularly the passwords) are stored using either a well-known strong one-way hash (I forget which one offhand or I'd say), or strong symmetrical encryption algorithms.
If people use a relatively short password, a rainbow attack is not significantly slowed down by strong encryption, no matter how strong it is. If people don't know, a rainbow attack is: Take every possible 3-letter password and encrypt it, then save the encrypted version in a database. Then if you can steal a password database full of encrypted passwords, just do a simple database lookup to find the equivalent 3-letter password. All 3-letter passwords cracked in one fell swoop. Repeat for 4-letter, 5-letter, etc. Rainbow tables can be found pre-built for lots of encryption technologies with 8, 9, 10 or more chars, so no matter how strong the encryption is, short passwords are susceptible to rainbow table attacks. Another problem is the millions of passwords stolen from companies like linked-in. Assume you are a bad guy and you have a database of 20 million unencrypted passwords that have been used by real people. When you build your rainbow tables you might decide: I'll build a table of every possible 7 char or shorter password and also every 8+ char password in my database of 20 million real passwords. I repeat, strong encryption solutions don't prevent rainbow table based attacks UNLESS you use long passwords that nobody else has ever used and been stolen (or decrypted). The decrypted issue is important, because let's assume you use the password "Iloveobamamorethanlife", that's a 22 char password which should be safe, but if someone else used the same password on a system with a weak password, then if it got hacked and the passwords cracked, then it might be in the bad guys database of 20 million known real passwords. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org