Re: And if the password is hashed
To all: I think my math is OK here, but pls forgive me. I didn't use billion, as the meaning changes depending what side of the Atlantic you're on.
AC: I don't think you understand just how large a 128-bit number is, let alone a 256-bit number. 128 bits works out to around 3.40 × 10^38 different numbers.
Humor me here: Fit 3 x 10^11 (three hundred thousand million) hashes in a cubic millimetre...
A desktop HDD has an outside volume of 386,022 mm^3. At the same storage density as above, the HDD would have to be able to store 115,806,600,000,000,000 128-bit hashes or 1,852,905,600,000,000,000 bytes (1.9 million petabytes - 1.9 zettabytes) of data to match the storage density of that cubic mm above.
To visualize just how much data that is, think how big a pile nearly two million million 1TB drives would be. The annual HDD production of any sized-storage by the three largest manufacturers is 200M - so that'd be 10,000 years' production.
Last year, IBM announced that it is building a 120 PB HDD data repository - an array of 200,000 HDDs. That 1.8ZB HDD would represent 15,834 of IBM's arrays.
The volume of the Earth is roughly 1.097 x 10^27 mm^3. That's a thousand million million million million.
A planet-Earth-sized pile of 1.8ZB HDDs would be needed just to store all possible 128-bit hashes. (Seagate expects to use HAMR to produce 60 TB+ 3.5" hard drives within the next ten years - you'd still need 31,666 of 'em for ONE 1.9 ZB HDD.)
At current rates of manufacturing, you would need every HDD produced for 2.6 x 10^21 years just to store all possible 128-bit hashes. That's 1.8 x 10^11 times the age of the universe...
Oh, it gets worse, AC.
To store all possible 256-bit hashes, you would need 3.40 × 10^38 Earth-size piles of 1.9 ZB HDDs.
THAT, my friend, is sufficiently large haystack to hide a needle in.
Password hashing IS good practice. Best practice is salted hashing, with individual, random salts (assuming the salts aren't stored with the hashes) and a slow, or a memory-intensive hashing algorithm.