Let's talk about data breaches.
The biggest data breach, and the failure of using hashing correctly,
came out last year from Yahoo.
1 billion accounts were compromised,
because they only secured their database with MD5 hashes.
Now MD5 hashes, as you recall, are very, very easy to compute and
are very small bit length.
So if we have all one billion accounts,
running those through a rainbow table, and
looking at all the MD5 hashes out there, we can come up with 75% or
750 million passwords in a matter of a couple days.
I can't remember how long it actually was, but we've come up
with huge amounts of data and actual passwords for all those Yahoo users.
So once that happened, Yahoo said, change your password.
Another failure was Cupid Media several years ago.
42 million accounts across many different
websites that they owned had no encryption or
no hashing algorithm on the password at all.
LinkedIn also back in 2012 had 6.5 million accounts hacked.
They were encrypted, however, they didn't have salts attached.
So if we were able to obtain the hash from another website or
went through them with a rainbow table or they were precomputed somewhere else,
then we would have been able to find or identify the password.