Ask Leo! #498 – Login backgrounds, the current confusing state of TrueCrypt, and more…

"on their own computers, at extremely high speed, they can literally try every possible password." Wouldn't it be more common that the hackers would use rainbow tables (tables containing the hashes of pre-generated password/hash combinations). as it seems like a brute attack on a database would take millions or billions of years to get a few passwords.

Using a salted hash (sounds like a generic name for Spam :-) ), which to my understanding is kind of a double encryption, would defeat the rainbow tables, or at least slow the hackers down considerably to give the victims of the hack time to change their passwords before the passwords are cracked.

Rainbow tables(*), for purposes of this discussion, can be considered "trying all possible passwords". :-) Also, rainbow tables become impractical once again as the password length increases (I think even hitting 9 characters might be enough, but 10 for sure - for now). Brute attacks for all possible 8 character passwords are very doable today even without rainbow tables. And let's face it, it's a kind of brute force attack that generates a rainbow table, after all.

Salted hashes eliminate the usefulness of rainbow tables, unless the salt(**) can be determined. A good salt is most definitely best practice.

(*) Rainbow table: a simple table of all hashes for all possible passwords. Compute the entire table once for each common password hashing method, and rather than trying every possible password you simply look up the hash in a rainbow table to determine the password that goes with that hash. Impractical for long passwords, hence another reason for long passwords.

(**) "Salt" is something that's added to a password before it's hashed, thus changing the resulting hash. For example if you provide password 1234 and the system adds a salt of "askleo" then the string that gets hashed is "1234askleo" which is different than the hash for plain old "1234". As long as the salt (which can also be algorithmic rather than static) is kept secret, then the attackers don't really know the entirety of your hashing algorithm, thus making the brute force attempt significantly more difficult.

You mention that the computer receiving your login converts your password to a hash and then compares subsequent logins to this hash. You say that you cannot get the password back from the hash.

How then can, can such sites email you back your password if you forget it?

I know that some sites enforce a password reset in such situations, but not all.

I recently registered with a competition web site and they sent me a confirmation email with my ID and password there in plain text for all to see !!

Very simple: If a site can actually mail you your password back, then that site is doing security wrong.

I agree with all Leo says on the subject, but like to add this: in parallel to image backups with Macrium etc. it is a good idea to make extra backups of your data on one or more external small disks (300GB drive with usb-interface for instance):

- projects at hand,

- personal photos,

- email history,

- anything else you never want to lose.

The key to simple management of these data is to keep them well-organized in one or a few directories. For each backup you just create a new directory on the external disk, e.g. BU_ABCD_yymmdd, where ABCD is your computer ID (so you can backup data from more than one machine on the same disk), and use the file explorer to copy the directories into it.

It's fast, simple, effective, and you have the data in the original format, the same format they have on your machine.

I recommend this not as an alternative to total backup, but as a procedure in parallel. It's great for your peace of mind, for there will never be the question if your data are there and accessible to you.

And for the record, not only do I endorse this, but I do this. Except rather than external hard disks I use cloud services like DropBox. This way my current work is always quickly accessible regardless of where I am, and backed up off-site.