Rainbow Table Password Attack - What Is It and How Do You Protect Yourself From It

A rainbow table is just one of the many potent tools in the arsenal of the cybercriminals of today. While a rainbow table password attack has its limitations, it does give hackers the opportunity to effectively steal passwords from systems that are not protected well enough.

How Does A Rainbow Table Password Attack Work?

In order to understand how a rainbow table works, you need to understand how hashing passwords works. Usually, the passwords in computer systems are not stored directly as plain text strings. This represents a security risk that can easily be exploited, and that's too much of a risk for developers to take - which is why passwords are hashed using encryption. This means that the password string you input to authenticate the user is encrypted into a hash on your end, but since a hash is a one-way function, it can't be decrypted on the other end to produce the password on the other end. Effectively, whenever a user enters a password, it is converted into a hash value, and the hash value is compared with the hash value already stored on the other end. A match of these values is what actually authenticates the user.

A rainbow table is a vast data repository that is used to attack not the password itself, but the method that the encryption security that the hash provides. Effectively, it is a massive library of plaintext passwords and the hash values that correspond to each and every password. Effectively, the hackers compare the hash of a user's password to all existing hashes in the database. This can quickly reveal what plaintext password is tied to a particular hash. Furthermore, more than one text can produce the same hash - and that's good enough for cybercriminals since they don't actually need to know the real password, any combination of symbols that authenticates their access will do.

The Specifics of a Rainbow Attack

Rainbow tables have some distinct advantages to other methods of cracking passwords, like, say brute-forcing. Performing the hash function isn't the problem for the cybercriminal in question, since everything is precomputed, and the databases containing all the information they need are available online. Effectively, what they need to perform is just a simple search-and-compare operation on a table.

However, rainbow attacks aren't the be-all and end-all tool for hackers. They do have their limitations, such as the huge amount of storage required to store the tables they utilize - and the tables in question are indeed quite large. The regular size of a rainbow table containing the hashes of all possible 8 symbol passwords that include most symbols one can think of can be as large as 160 GB - and the storage that is required for the inclusion of longer passwords in the table increases exponentially with each bit of added entropy.

How Can Rainbow Attacks Be Prevented?

There is very little users can do to prevent falling victim to a rainbow table password attack, aside from following all the good practices when creating a password. On the other hand, rainbow table attacks can easily be prevented by using salt techniques by the developer of the IT system in question. Salt is a random bit of data that is passed into the hash function along with the plain text. This ensures that every password has a unique generated hash, rendering the rainbow table attack impossible to carry out.

March 24, 2020

Leave a Reply