Minor correction: MD5 does suffer from potential collisions, that is two different inputs can have the same MD5 output. Since the majority of systems only store the MD5 and nothing else (like say what the first letter was, or a SHA hash) if you find an input (not necessarily the "correct" one) that results in the same MD5 hash the system will accept it as legitimate since the hash values match. The chances of such a collision occuring, against arbitrary data such as "this_is_my_password" are rare, especially when you consider the limitations on passwords (length, ascii characters, etc.). The beauty of the rainbow tables is once you've "cracked" a password (i.e. taken a value, MD5'ed it, stored it in the DB) your only further requirement is storage (which is dirt cheap now) and search costs (which is pretty cheap since you have it all nicely done up in tables).
Kurt Seifried, [EMAIL PROTECTED] A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html