The article is not accurate in how password hashes work. And the encryption algorithms are all either open source or public record.
Passwords are typically stored hashed, not in a two-way encrypted or plain text formats. If you do business with any organization that can send you your password when you forget it then close your account and don't do business with them. They are storing your password plain text
There is a difference between hashed and encrypted. Hashing uses encryption principles to create a one-way encrypted result. It can't be unencrypted by any password - there is no password. The one-way encrypted value is stored and when you log in the password you provide is hashed using the same algorithm. The hashed result is compared against the hashed value stored in the database. If they match then you're in. Even though creating a hashing algorithm is done with encryption techniques, this is usually referred to as creating a hash rather than encryption. Technically it is one-way encryption.
The traditional way to defeat a cryptologically sound hash was through a dictionary attack. You try combinations of values until you get a hash that matches the target. Since you can hash entire books, chapters, paragraphs, sentences, words, or randomly generated passwords, and everything in between, the possibilities to be included in the dictionary are mind-boggling. When you see sites that limit you to 8 alphanumeric characters, though, you are on a site where your account can be cracked in minutes. Going to 10, 16, 32, or more characters with lots of special characters allowed, increases the required dictionary size exponentially for each additional option added. Length counts much more than complexity in dictionary attacks.
The article is completely mistaken to compare costs of adding additional characters in the set of characters to the value of extending the length of the password. Here's an article describing the effects of password length versus complexity. Even using only upper case alphabet (26 characters) is more secure at 15 characters than using 79 characters (upper, lower, numbers, special) at 7 characters in length.
http://blogs.mcafee.com/mcafee-labs/password-policy-length-vs-complexityBeyond dictionary attacks, though, are rainbow cracks,
http://project-rainbowcrack.com/, using time-memory trade offs and rainbow tables. It's a sophisticated variation on a dictionary attack that hugely shortens the time to crack a hash. Here's a video showing a complex 8-character hash being broken in under 10 minutes:
https://www.youtube.com/watch?v=eBLJcBuLQLUThis is easily done by the NSA. With cost estimates discussed in the article, imagine how short of a time it would take to break a hash if you could spend a million dollars to crack a hash. Cracking a hash is simple for the NSA.
Salts are not typically used in hash algorithms but it is not uncommon to add a salt to the plain-text before encrypting it so that the resulting hash is not tied to a specific password. If the salt is based on something user specific then cracking the hash of one password will not give you the the answer to other hashes in the database.
When people refer to encryption, they usually mean a two-way encryption - in other words, it can be unencrypted and the original value recovered. This requires a key (or password) that can be shared. There are public/private key systems or simple systems where you have the same key to the encrypted text for all users. This is almost never used in storing passwords. If you were to ever discover that some company stored your password this way, close your account and don't do business with them. They may as well store your password in plain text because they have to store the encrypted text and the key to unencrypt it. If you steal one you can likely steal both. It makes no sense for the FBI to request keys to encrypted passwords. They'll never find them stored this way.
Salts are used as part of encryption algorithms - referred to as Initialization Vector. But the IV has to be prefixed on the encrypted result because it is required to decrypt the encrypted value. So, for all common encryption algorithms that use salts, the salt is readily available and needn't be requested separately by the FBI.
Asking for algorithms makes the least sense of all. No one that is seriously interested in security would write their own algorithm unless encryption is their training and background - and I'm talking Phd in Mathematics level of training. Anyone with any knowledge in the field would choose a publicly available algorithm over a private one every day of the week. Security in encryption comes from peer review of other real experts and not through obscurity or secrecy.
