Very interesting discussion of Rainbow Tables over at Coding Horror: But it is possible to attack the hashed value of your password using rainbow tables: enormous, pre-computed hash values for every possible combination of characters. An attacking PC could certainly calculate all these hashes on the fly, but taking advantage of a massive table of pre-computed hash values enables the attack to proceed several orders of magnitude faster– assuming the attacking machine has enough RAM to store the entire table (or at least most of it) in memory. It’s a classic time-memory tradeoff, exactly the sort of cheating shortcut you’d expect a black hat attacker to take.
And that blog post led me to the 10 Immutable Laws of Security. Example:
Law #5: Weak passwords trump strong security
The purpose of having a logon process is to establish who you are. Once the operating system knows who you are, it can grant or deny requests for system resources appropriately. If a bad guy learns your password, he can log on as you. In fact, as far as the operating system is concerned, he is you. Whatever you can do on the system, he can do as well, because he’s you. Maybe he wants to read sensitive information you’ve stored on your computer, like your e-mail. Maybe you have more privileges on the network than he does, and being you will let him do things he normally couldn’t. Or maybe he just wants to do something malicious and blame it on you. In any case, it’s worth protecting your credentials.