A common situation in computer systems is where all the available local storage on a computer is physically readable by anyone and needs to be cryptographically protected, and further the only available source of secret randomness is a human memorizable password. Examples include a multi-user system where a browser lets users store personal information and site-specific passwords under the protection of one master password, or a laptop whose disk is searchable when captured and access to data is protected by a password. The common solution for this situation is to derive a cryptographic key from the user-supplied password possibly together with a public, locally stored salt. (A salt is a random value that is generated and retained for one specific context and is primarily used to keep different contexts separate. The reason a salt is used is to make the hash value different for different users even if they happen to choose the same password.) This practice, however, is quite problematic, since it allows an attacker to perform dictionary searches for the correct password. Indeed, if the attacker has access to the encrypted stored data and the password is taken from a relatively small dictionary, then this attack seems feasible. Furthermore, in contrast to the case of password-based key exchange between a client and a server where off-line dictionary attacks can be efficiently limited by the server, here the lack of any secret storage seems to make such attacks inevitable.
The threat of dictionary attack is commonly addressed by using a key-derivation-function such as SHA1 (first successor to SHA0 (a Secure Hash Algorithm created by the National Security Agency)) repeated a few thousand times to derive the key from the password, in the hope of slowing down off-line dictionary attacks. Although helpful, this approach is still not efficient as it entails an eternal cat-and-mouse chase where the number of iterations continuously increases to match the increasing computing powers of potential attackers.