Eelke wrote:The problem with a single md5 hash is that, if the hash is known, there are ways to find a string that maybe is not the same as the actual password, but that does generate the same hash (a so-called collision). A common way to do that is to use rainbow tables; huge tables that map from every possible (hence: rainbow) md5 hashed value to a string of characters that yields that particular hash when hashed. If the attacker would put in the colliding string, they could get into the user's account. If that same user used the same password on a different site that too used single md5 hashing, they could get into the user's account on those sites as well.
If I'm correct, this is particoularly true if you use some common word as your password (i.e. vocabulary words, common names, number sequences, dates, inverted words, qwerty-like things, etc.).
Reverse-MD5 tables are freely available even in the public Internet.
A part of the old suggestion of using a different pw for each site, using somewhat complex passwords is also a good advice, for example !waHt+eVer?
instead of whatever