Whenever you read or hear of the topic “password security”, the focus is mostly on the user side. This blog flips the script by having a look at rainbow tables. Let’s learn what they are, what they do and how to mitigate password security threats generated by these tables.
What Is a Rainbow Table?
In the cyber world, Rainbow tables are just as famous as Spectrum Billing is in the world of cable TV entertainment. These tables are used by cybercriminals for cracking unsalted and hashed passwords through rapid cryptanalysis.
Salt is a random unique number applied to a plain text password before hashing and storing it to make it secure. Attackers use large lookup database tables for launching rainbow table attacks. Each table containing a pre-computed password has combinations. This info uncovers the plain text version of passwords from hashes.
What do Rainbow Tables Do?
Cybercriminals use rainbow tables for cracking complex passwords using hashes. For simple passwords, they use brute force attacks as well as hash tables but both these methods are resource-intensive and time-consuming.
With rainbow tables, a hacker can do all the work of cracking a password in advance and store the results in a table format. Cybercriminals use these tables for comparing pre-computed hashes against the ones stored in the storage documents of password hashes maintained by the organization. If they succeed, they can use the hashes for reverse mapping a password hash and gain access to the readable versions of the original passwords.
How to Protect Stored Passwords?
For securing hashed passwords from hackers, it’s important to talk about “salting.” It is the technique of adding a random and unique value at the end of a password.
Let’s elaborate that with the help of an example. Assume that the password you would like to secure is “HappyTimes.”
To add salt at the end of the password, we will add a random value at the end. So your password will look like this when it’s salted: “HappyTimes09469835245752.”
Why to Salt Hashed Passwords
Now let’s understand why a password should be salted.
The answer is simple – salting makes your stored password secure. You can actually prevent them from rainbow table attacks.
With salting, you add an unpredictable value to the password. This makes it impossible to create rainbow tables, to begin with. Salting must be performed before hashing the password. The hash value that results from hashing a salted password is different from the hash received from hashing an unsalted password. This throws rainbow tables out of the window. Why? Because the attacker would have to generate hashes to every possible version of the salt value.
Even if more than one user has the same password, they will still receive a different hash value since different salts are applied.
Is it possible to guess a salt?
So a cybercriminal will have to create a precomputed table of the values for reflecting every possible salt value. Depending on the size of the salt added to a password, the number of calculations could be enormous. Guessing the salt value is highly resource-intensive.
Salting the original passwords makes them secure. Since salts are random values, the attacker will have to do a lot of work to guess the value. This is a win-win for the organization as well as customers.
What Else Can You Do to Secure Your Passwords?
Another way to make your passwords secure is using the “hashing algorithm.” Apart from salting the hashes, you can also ensure your hash function is slow. It’s unnoticeable to you, but this method makes cracking the passwords a thousand times slower.
The advanced hash functions are not just slower, but hard on memory. To compute them, a lot of extra memory is required. Cracking attempts are hence slowed down. So if hash algorithms are used, cracking a password becomes nearly impossible.
Wrapping Things Up
This blog has introduced you to a lot of technical information but I have made it as simple as possible for an average user to understand what rainbow tables are and how cybercriminals use them for hacking passwords.
Password security remains a continuously changing practice. There is no perfect way of preventing password cracking attempts because just like security practices, cybercrimes are advancing. However, by following the best practices, we can surely keep the attempts of hackers at bay.