The reason that this is a problem, is that many users use the same passwords in multiple places, so if you know their password in one place, you can probably log into other services using that password. If you store all passwords as hash values, and you lose these hash values to people that may abuse them, it is important that they cannot get the original password from it. There are many ways to crack passwords, and lostpassword.com is a good site to know, if you want to know how easy it is to crack passwords.
But how fast can md5 hashes be cracked? Let's try to imagine that we produce all thinkable passwords and generate their md5 hashes, and then use the resulting list as a lookup table, sorted by md5 hash. Let's make a few presumptions:
- The password is only using lowercase letters and digits, 36 different characters in total.
- It is totally random.
- n=5 uses 2GB crack time: 100ms
- n=6 uses 82GB crack time: 120ms
- n=7 uses 3TB crack time: 140ms
- n=8 uses 112TB crack time: 160ms
- n=9 uses 4163TB crack time: 180ms
- n=10 uses 1×1017 bytes
- n=15 uses 1×1025 bytes
- n=20 uses 1×1032 bytes
As you can see, these are bad passwords:
- this is fun
- my dog ate my homework (somebody else probably used that, too)
- slashdot8fischk (15 characters, spelling errors etc.)
- roskilde/1997/annie (25 characters, but who is Annie and why Roskilde?)
As a programmer, you can help your users make better passwords by providing more space to type the password. Usability research has shown, that this actually helps, although I cannot remember the source for that information. Some systems also use the word "passphrase" instead of password in order to encourage users to type more characters.