Hashing passwords won’t save you or your users. Once a database of passwords has been stolen, hackers aim immense distributed computing power at those password databases.

True if the password shout: “yes, you found the right match”. However, if the “force-brute-bot” is unable to identify a match of not, then it is impossible to find a password using force brute.

Also, using SALT does the trick.

Example:

It is my hash:

89472ebc1a5f57d8918812acd8898409

It was encrypted using the next algo

MD5(MD5(SALT+PASSWORD) + SALT)

1. The password uses 4 letters, only letter, and lowercase. Easy? In theory, it could be defeated in 26 x 26 x 26 x 26 = 500k possibilities, even a regular computer could generate 500k possibilities in less than an hour. Also, MD5 is quite fast.
2. Heck, even the password is in practically any rainbow dictionary (but it is not 1234).

Can you guess the password?

No, you won’t.

Myth: md5 is unsafe.

Myth: long password is safe.

Myth: force brute could defeat any password.

The trick is the next one. The length of the password is moot if we add a SALT. Second, md5(“something”) does not return an expected value (a long list of random values) but the size, and there is an infinite number of possibilities.