Passwords are dead
pcidss.wordpress.comI stopped reading when the author revealed his cluelessness about the appropriate countermeasure for rainbow tables:
> There exists databases FULL of every single password hash (for each type of encryption / hash approach) that can be compared against recovered passwords – think 2 excel tables .. search for hash in column A and find real world password in column B.
This is a good description of the attack vector, and the fact that this attack vector exists is why any modern application should hash each user's password with a different salt when storing it in the database.