Many systems are stored in the database after a MD5 or SHA1 hash of the password. Such a password cannot withstand a dictionary attack. The so-called dictionary attack, is to use the common password hash after making a dictionary, crack, only need to look up the dictionary to know the corresponding plaintext password.
To protect against dictionary attacks, it is recommended to use a password + salt (a bunch of random numbers) to hash the method. Each password corresponds to a different random number. This method, in effect, artificially expands the password to n bits, resulting in a large increase in the length of the password, which makes it impossible for an attacker to construct such a large dictionary.
Password + random string to save the password must not be cracked it? There must be two columns in the database table, one column holds the random string, and the other column holds the password + the hash value of the random string. What happens if an attacker gets the database? He can build a dictionary of each password, and then look up the dictionary hack. In fact, the dictionary constructed to crack a password is not very large, as is the case with random strings! But this dictionary is a one-time dictionary.
It is not impossible to break every password by constructing a dictionary, albeit slowly.
As a result, the ultimate solution is to return to the limit password minimum length and use complex passwords.
About the storage of passwords in the database