Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Unsurprising that >95% of the password hashes have been broken. I remember being annoyed when I signed up for LinkedIn (just checked my tweet history - it was 2010/06/10) because they were only allowing 16 characters in the password field.

EDIT: Whoops, guess I should have done some napkin math before claiming that there are rainbow tables that cover that area. /me slaps wrist



I mean... there are surely not rainbow tables that span all 62^16 16-character passwords consisting of alphanumerics only: that is 646,081,519 zettabytes of hashes (62^16 * 128 bits).

There are clearly rainbow tables which span a more useful dictionary of passwords, though--and certainly all the most common passwords.


You are absolutely correct; I should have actually done the 5-second calculation before writing that instead of relying on my flawed memory.

Looks like the publicly available rainbow tables go out to 7 characters with special chars included, which comes out to a much more reasonable 3.2 TB (using 62 chars).


Even if we conservatively assume that you only need lowercase characters, and that you need one bit per password, that's still 26^16 bits = 4.6 ZB, about fifteen times the total capacity of every hard disk sold by Seagate in 2011 (330 EB).


They usually use less than one bit per password.


People here don't know what rainbow tables are. If you asked them to build a rainbow table, you'd get... a table. (You're right.)


Thank you for the contentless comment. Instead, you might consider offering a more interesting algorithm, its tradeoffs, and why it is beneficial to take more computation time?


A rainbow table doesn't store every hash for the password space it's built for. I'm sure you already knew that, but decided to pretend otherwise when calculating the size of one.


But still a good point: Why limit your password length? My online banking is the worst offender that I know. Not only do they insist that the password is no longer than 8 characters, it HAS to be 8 characters. Madness!


I agree, banks having this flawed security is quite frightening!

My bank used to have an 8 character password limit policy, but recently changed it (without announcing it), and I was able to use a 20+ character password. It's worth re-trying once in a while just to be sure.


Good idea, will try it out next time I'm in it.


26^16 ~ 4e22, so no such rainbow tables exist.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: