(03-03-13, 05:26 PM)goldfazer link Wrote: Why don't these sites encrypt the passwords. It ain't rocket science!!
Hi,
Unfortunately encryption doesn't really solve the problem. You can pretty much gaurantee they have hashed their passwords using an MD5 or SHA algorithm, mostly SHA-256 in this day and age.
The issues arise when you have an entire database of hashed passwords, you can be certain that a dictionary attack will weed out thousands of the more simple passwords within seconds.
For example, let's say your password is "lexicon", which hashes (via MD5) into "42d48e292d15d4fd85050e15e00ad591".
That is an encrypted password, but inevitably a dictionary attack will attempt the word "lexicon" and as the hash matches the password hash in the SQL database, your password has been discovered.
Due to computational requirements it's generally not worth the time to attempt to find a single users password, but when you have an entire database of hashed passwords, you can be sure a dictionary attack will turn up results within seconds, however it would be almost impossible to retrive all the passwords in the database, unless they were all ridiculously simple. The time required for a full brute-force attack would likely be in the range of a few centuries/millenia.