Best IT Recipes

What is a rainbow attack?

I read several articles about salt and password hashes, and several people mentioned rainbow attacks. What is a rainbow attack and what methods are best to prevent it?

+48
cryptography rainbowattack
Jun 18 '09 at 13:49
source share
7 answers

Wikipedia article is a little hard to understand. In a nutshell, you can imagine the Rainbow table as a large dictionary with pre-calculated hashes and passwords from which they were calculated.

The difference between Rainbow tables and other dictionaries simply lies in the way records are stored. The Rainbow table is optimized for hashes and passwords and, thus, provides greater optimization of the space, while maintaining a good search speed. But essentially, it's just a dictionary.

When an attacker steals a long list of password hashes from you, he can quickly check if any of them are in the Rainbow table. For those that are, the Rainbow table will also contain the row from which they were hashed.

Of course, there are too many hashes to store them all in the Rainbow table. Therefore, if the hash is not in a specific table, the hacker is out of luck. But if your users use simple English words, and you hashed them only once, there is a high probability that a good rainbow table will contain a password.

+53
Jun 18 '09 at 14:02
source share

This is when someone uses the Rainbow table to crack passwords.

If you are worried about this, you should use Salt . There is also a Stack Overlow question that can help you understand salt a little better than Wikipedia ...

+15
Jun 18 '09 at 13:50
source share

This is a useful article on Rainbow Tables for a layman. (Not suggesting that you be a layman, but he is well written and concise.)

+9
Jun 18 '09 at 13:54
source share

Late to the party, but I also knew that Rainbow Tables is a method of attacking hashed / unsalted passwords. However, on Twitter recently http://codahale.com/how-to-safely-store-a-password/ was shared and depending on your needs and problems .. you may not be able to salt your way to safe storage passwords.

I hope this will be informative to you.

+2
Jun 10 '11 at 13:25
source share

Wikipedia is your friend:

http://en.wikipedia.org/wiki/Rainbow_table

+1
Jun 18 '09 at 13:52
source share

In a broad sense, you encrypt a huge number of possible short strings of plaintext (for example, for passwords) and save the encrypted values ​​along with plaintext. This makes it (relatively) simple to search for plain text when you have an encrypted value.

This is most useful for weak and / or unmapped password hashes. A popular example is the LAN Manager hash , used by versions of Windows prior to XP to store user passwords.

Please note that a pre-computed rainbow table for even something as simple as the LM hash code takes a lot of processor time to generate and take up enough space (about 10 s gigabytes of IIRC).

+1
Jun 18 '09 at 14:04
source share

Rainbow tables basically allow someone to store a large number of pre-computed hashes.

This makes it easy to crack your hashed passwords, because instead of performing a whole bunch of hashing functions, this work has already been done, and they almost simply do a database search.

The best defense against this kind of attack is to use salt (random characters) in your password. that is, instead of saving md5 (password), save md5 (password + salt) or even better md5 (salt + md5 (password)).

Since even with rainbow tables, it is almost impossible to store all possible salty hashes.

By the way, obviously, you need to save the salt with a hash so that you can authenticate the user.

+1
Jun 18 '09 at 14:08
source share


More articles:


All Articles