Interesting, easy-to-understand1, and relatively thorough explanation of password-based security and the algorithms, shortcuts, and heuristics used to defeat it.


  1. Except for the bit on rainbow tables—my understanding was always that they were just pre-computed lookup tables linking hashes with passwords that generated them. I’ll confess I had trouble following the explanation of using chaining to save space. I think some clarity was sacrificed for the sake of brevity there.