How to Secure User Passwords: From Weak Hashes to PBKDF2, bcrypt, and scrypt

1. User Password Encryption

When storing passwords in a database, several methods are used. Plain‑text storage is the simplest but extremely insecure.

Symmetric encryption (e.g., 3DES, AES) can be reversed if the key is compromised, making it unsuitable for password storage.

One‑way hash algorithms such as MD5 or SHA‑1 were once common, but rainbow‑table attacks have rendered them insecure.

Enhanced hash schemes add salt or multiple iterations, but fixed salts still need protection.

PBKDF2 applies a random salt and many hash iterations (e.g., SHA‑1 or SHA‑256, at least 1,000 rounds), dramatically increasing cracking cost; a single verification may take ~1 ms on a server but 1,000 × more work for an attacker.

Modern password‑hashing functions like bcrypt and scrypt also incorporate salts and configurable work factors, providing strong resistance against rainbow‑table attacks.

2. Password Cracking Techniques

Cracking depends on the protection method. Symmetric‑encrypted passwords require the key; hash‑protected passwords are vulnerable to rainbow tables.

A rainbow table pre‑computes hash‑to‑plaintext mappings, which is feasible for short numeric passwords but infeasible for longer, mixed‑character passwords due to astronomical storage requirements.

Pre‑computed hash chains reduce storage by keeping only chain heads and tails. During lookup, the target hash is iteratively transformed and compared against chain tails until a match is found, then the chain is regenerated to recover the plaintext. Variations of the reduction function R across chain steps create “rainbow tables”.

Rainbow tables can also target short symmetric keys (e.g., DES), but are impractical for long keys such as AES.

3. Conclusion

Using PBKDF2, bcrypt, or scrypt effectively mitigates rainbow‑table attacks, ensuring that even if a data breach occurs, user passwords remain protected and attackers cannot mass‑crack them. Compromised passwords should still be changed promptly.