When you log onto a website / server, your password obviously needs to be checked to ensure it is correct. This means the password needs to be stored on the server which is fine until it gets hacked and then the bad guys have your password. To get around this, the password is stored encrypted on the server using a one way encryption. This means it is easy to convert the password into the encrypted version but basically impossible to go the other way around. When you log on, the password you send is encrypted and then compared with the stored encrypted version. If they are the same then you are allowed in.
Now lets say you are the bad guy and have managed to get hold of the encrypted passwords and want to find out what the original password is. Working the encryption backwards is impossible so you are left with brute force methods where you encrypt each possible password and compare with the list you have stolen. With 6 characters of upper / lower alpha numeric, there are 5.7x10^10 possible combinations which will take months / years to calculate. However, various people have done this and stored the results which are available online. This data is known as rainbow tables. All the bad guy needs to do is look up the encrypted passwords he has found and the table will tell him the original password instantly without having to do any work.
Obviously this is a problem and this is where salt comes in. Salt is an additional set of random bytes which are added to each password before they are encrypted. The salt is stored with the encrypted password and will also be available to the bad guy when he steals the password file. He therefore knows what random bytes to add to the password before encryption but now he has to calculate all 5.7x10^10 possibilities for each password he wants to crack and can't use rainbow tables to do this.
Now 5.7x10^10 calculations is a lot but isn't impossible so if somebody wants your password enough and cracks the server then they can get it.
To make it harder, you need to make your password longer and more complex.
8 digits helps but many people use all lower case with no numbers or other characters
;,.><!"£$%^&*) etc giving 2x10^11 options.
upper and lower increases it to 5x10^13.
upper, lower and numerical increases it to 2x10^14
upper, lower, numerical and other increases it to 1.5x10^15
Personally, I use 12 digits passwords made up from upper, lower, numerical and other which gives 6x10^22 possibilities with a different password for every site. Unfortunately, this is rather hard to remember so I use lastpass.com to remember them all apart from bank ones.
Now lets say you are the bad guy and have managed to get hold of the encrypted passwords and want to find out what the original password is. Working the encryption backwards is impossible so you are left with brute force methods where you encrypt each possible password and compare with the list you have stolen. With 6 characters of upper / lower alpha numeric, there are 5.7x10^10 possible combinations which will take months / years to calculate. However, various people have done this and stored the results which are available online. This data is known as rainbow tables. All the bad guy needs to do is look up the encrypted passwords he has found and the table will tell him the original password instantly without having to do any work.
Obviously this is a problem and this is where salt comes in. Salt is an additional set of random bytes which are added to each password before they are encrypted. The salt is stored with the encrypted password and will also be available to the bad guy when he steals the password file. He therefore knows what random bytes to add to the password before encryption but now he has to calculate all 5.7x10^10 possibilities for each password he wants to crack and can't use rainbow tables to do this.
Now 5.7x10^10 calculations is a lot but isn't impossible so if somebody wants your password enough and cracks the server then they can get it.
To make it harder, you need to make your password longer and more complex.
8 digits helps but many people use all lower case with no numbers or other characters
;,.><!"£$%^&*) etc giving 2x10^11 options.upper and lower increases it to 5x10^13.
upper, lower and numerical increases it to 2x10^14
upper, lower, numerical and other increases it to 1.5x10^15
Personally, I use 12 digits passwords made up from upper, lower, numerical and other which gives 6x10^22 possibilities with a different password for every site. Unfortunately, this is rather hard to remember so I use lastpass.com to remember them all apart from bank ones.
