Security Samizdat

Excellent post from Matasano’s Thomas Ptacek about secure password schemes and the current craze about Rainbow Tables.

I loved the description of rainbow tables. It’s a jewel of precision and conciseness:

“Now let’s re-explain rainbow tables:

1. take a “dictionary” —- say, of all combinations of alphanumerics less than 15 characters
2. hash all of them
3. burn the results onto a DVD.

You now have several hundred billion hash values that you can reverse back to text —- a “rainbow table”. To use,

1. take your stolen table of hashes
2. for each hash
3. find it in the rainbow table.

If it’s there, you cracked it.

Here’s what you need to know about rainbow tables: no modern password scheme is vulnerable to them.”