Explaining rainbow table attack threat to passwords

A rainbow table attack is an attempt to crack passwords hashed in databases. Apps and services do not store passwords in plaintext. Instead, passwords get hashed, and systems compare users’ input with stored hashes. 

A rainbow table attack occurs if hackers manage to access a hashed password database. Then, attackers can learn plaintext passwords by using a rainbow table.

Let’s examine how this attack works and what security solutions are available. 

What is a rainbow table attack? 

A rainbow table attack hopes to learn victims’ passwords through unprotected hashed password databases. 

To revert passwords to plaintext, attackers use a rainbow table. The latter refers to tables containing reversed hashes for cracking password hashes. 

So, if criminals have a database of hashed passwords, they will use a rainbow table to crack all passwords.

Hashing and user authentication process

Hashing is a process of turning a string of characters, like a password, into another value. Systems use hash functions to convert data into an output following specific rules like a fixed character number. 

Systems use hashing to store data more safely and practically. Thus, when a user enters a password, the entry gets hashed and compared with the saved hashed value. So, an app or service does not see passwords in their plaintext form. 

How rainbow table attack works 

Hackers performing a rainbow table attack need a rainbow table attack. It is a table containing a list of passwords, their hash values, and the algorithms used. Using this file, it is possible to crack hashed passwords. 

Typically, a rainbow table attack would occur in the following sequence:

1. Hackers discover an unsecured password database and a leaked list of hashes. 
2. Criminals could gain access via other attempts, like phishing strategies. 
3. The attackers can decrypt passwords and match the users using the rainbow table. 

The attack preserves time-memory by storing fewer hash codes. Hackers take a precomputed table and pass hashes through reduction functions. If the technique fails to find a match, it happens again. The larger the rainbow table, the faster it returns the passwords. 

The rainbow table attack is more practical than brute-force attacks. The latter would need to generate thousands of combinations and compare them with password hashes. 

So, it requires less computing power to perform. It also uses less memory space than other password-cracking strategies (like dictionary attacks). While all password attacks take time, brute forcing takes longer than rainbow table attacks. 

Rainbow table attack vs. dictionary attack

A dictionary attack tries to guess passwords from the generated list of common passwords and words. It can occur anytime, like targeting a social media account and running it with all possible passwords. 

However, a rainbow table attack turns to a precomputed table of hashes to find a plain text version of the hashed one. 

So, while both attacks target accounts and their passwords, hackers perform them differently. 

When rainbow table attacks do not work

While rainbow table attacks might be less demanding regarding memory, it is not always possible. Here are the three fortunate scenarios when the attack won’t do much: 

• Criminals need to precompute rainbow tables. Thus, the attack requires a lot of planning and preparation. 
• Such attacks are less common today since many services salt passwords before hashing them. 
• The attack can only work on one hash format like MD5. Separate rainbow tables are necessary for different types. 

Salting passwords for more security 

Salted passwords mean that the service automatically adds random strings to users’ passwords. After altering the plain text password, the system hashes it. Thus, even if criminals manage to reverse the hash, they won’t get the exact combination.

Prevent rainbow table attacks 

Thanks to more systems implementing modern security techniques, threats like rainbow table attacks render less successful. However, some data breaches prove more devastating when exposed databases contain hashed passwords. 

A system, platform, or app can be safe from such attacks if it salts passwords and uses the latest hashing algorithms. 

Furthermore, key stretching is also one of the possible defense strategies. It uses an intermediate hash function multiple times to increase the computation time for hashing each password. 

Another addition to account security is limiting login attempts. Thus, a user is authenticated only if they provide the correct credentials in three tries. 

How users can protect their accounts

Luckily, it is also possible for users to defend against rainbow table attacks. The following tips are excellent for securing accounts against many similar threats. 

1. Passwords that are at least 14 characters long. Some experts note that rainbow table attacks are effective on passwords shorter than 14 characters. 
2. Applying two-factor authentication on accounts means that hackers won’t be able to complete login procedures.
3. The overall security of accounts depends on passwords. Thus, use strong and unique combinations to defend against brute forcing and dictionary attacks. 
4. Password rules include using uppercase and lowercase letters, symbols, and numbers. Also, do not base them on dictionary words.