[danielweber]

People have built huge rainbow tables of MD5 hashes.

I don't really keep up with that game (like WoW, it seems like a fun game, but only if you are willing to put in a lot of your time), but I think the current limit is somewhere around 8 or 9 characters if you are pulling from all printables, meaning that "H.*W8Jz&r3" with MD5 is probably not breakable right now.

Take off two characters, or wait 3 years, and it probably will be.

[consultant23522]

My understanding, and I'm sure that someone else will correct me, is that with MD5 rainbow tables it's not so much that someone will get your password as they will get something that hashes to the same value. More than likely this will be your password, but sometimes not. The point is that it doesn't matter if your password is 25 characters long.. if there's a 5 character password that hashes to the same value they could log in with it.

[danielweber]

While it's possible to make MD5 collisions, finding something that hashes to the same thing as a hash of my short password is essentially impossible.

In fact, collisions on short passwords are harder than collisions on long passwords. The space of all MD5 outputs is way bigger than the space of 12-character passwords.