Quote:
Originally Posted by SeijiSensei
It's actually pretty difficult to reverse a SHA1 or SHA256 hash. A much more common tactic is to use " rainbow tables" which provide the hashes for common sequences which are then compared against the list of captured hashes to identify matches. Since most people choose poor passwords this technique can find a lot of matches in a short period of time. Random "salts" can make this method less effective, but who knows how good the developers are who wrote the initial hashing function for some web application. With so many high-profile sites being compromised, it makes me think many development teams do not include a security expert in their midst.
RSA has been working on algorithms that cut a password into pieces and store the pieces on separate servers. Most small-time web sites won't go to those extremes, but it ought to be de riguer for large-scale organizations like Facebook and Twitter which already maintain hundreds of servers. |
Yes, that is true if you're looking to hack "right now" but those rainbow tables have to come from somewhere. I was talking mostly of what the end goal of these hacks are and that is to add more hashes to the pool that ultimately gets cracked and added to said rainbow tables.
Bottom line is: no password is safe indefinitely. Pick good hard to crack ones, don't re-use them and change them regularly.