Possible Duplicate:
Is SHA-1 secure for password storage?
I am new to encryption and I have a doubt. It may be a stupid question but I am going to ask. I know SHA1 is not decrypt-able. But a quick thought, if a hacker create a table containing two columns – non encrypted password and its SHA1 encrypted value. And the rows contains passwords of all combinations of characters which he generated using a program in 6 months (say 900 million records). Can’t he easily get the non encrypted password if he got an SHA1 encrypted password?
If yes is there any solution to prevent this?
Thanks in advance.
The attack you’re describing is called a rainbow table. Yes, it certainly is a valid concern for short passwords – thus the typical security requirements on the minimum length of passwords. However, the size of the table needs to grow exponentially with the length of the password; for example, an alphanumeric case-sensitive password would increase the table by a factor of 62 for each additional character. Thus, it becomes intractable to compute beyond a certain length. (Just 8 characters would give rise to around 218 trillion combinations.)
Another precaution you could take is to salt your passwords (which may simplistically involve appending a constant string to each password before computing its hash). This way, even if the attacker has access to a pre-computed rainbow table, it would be of no use against your hashes; a new rainbow table would have to be computed for each salt.