Matthew's comments re reliance on 40bit encryption for a solid security mechanism are true, however implement 128 or 256 bit security poorly and you still have the same problem.

The question that I'd like to ask is:

Why is the ICT industry not using stronger password protection mechanism's that have a lower level of risk from rainbow attacks used ?

Especially when these mechanisms are widely known and code samples available.

An example of such a password protection mechanism is the salted cyrptographic hash.

It is widely known enough for WikiPedia to mention that a password "salt" is used often used to reduce the effectiveness of the use of Rainbow tables.

Ref: http://en.wikipedia.org/wiki/Rainbow_table

Microsoft themselves on MSDN have the following, and several other articles, describing the use of salts to improve the security of stored password hashes.

The referenced article ranks a salted password hash as better security than a hashed or encrypted password.

Ref: Security Briefs, "Hashing Passwords, The The AllowPartiallyTrustedCallers Attribute", Keith Brown.

URL: http://msdn.microsoft.com/msdnmag/issues/03/08/SecurityBriefs/

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/newsbriefs/407/1668#1668