Rainbow tables are password hacking tools that gain authentication into password-protected accounts by cracking password hashing.
What is password hashing?
Except in rare cases of antiquated coding, when a user enters their password into an account, the password is converted into a hash value, for instance the password “Orange123” would be encrypted into a string of numbers, letters and symbols. This means that any password, no matter the length or text, will always be converted into a set number of values that cannot be changed and is difficult to decrypt.
By obfuscating passwords, hash functions greatly increase password security. Enter rainbow tables, which are used to crack password hashes, and are effective when used to crack against weak password-hashing algorithms.
How rainbow tables work:
A rainbow table is a large, precomputed table designed to decrypt hashed passwords into plain text. Within the rainbow table, hashed passwords undergo a series of reduction functions to link the hashed value to words and letters, revealing which plaintext passwords produce which particular hash values.
To launch a rainbow table attack, cyber-criminals need leaked hashes, which they may gain access to through a vulnerability in a poorly-secured password archive or by leveraging millions of leaked password hashes accessible on the dark web. Time + computing = decryption.
A salt-hashed protocol protects passwords against rainbow table attacks:
To bolster security against rainbow table attacks, many organizations use salt-hashed passwords. This technique leverages an algorithm to add an additional random value to every hashed password. While an attacker may have decrypted a hash value using a rainbow table, they will not be able to properly match the password’s hash value with its added randomness. It puts a little figurative salt on their game. This is analogous to the way fingerprints are coded for authentication with a random shape layered on top of it. A hacker would need both the fingerprint and the shape to create the match, but rainbow tables only allow a hacker to find the match to the fingerprint (or the original hash value).
Are rainbow tables a relevant threat?
Rainbow tables are an efficient way to crack large numbers of passwords through pre-generated data sets of password hashes. However, rainbow tables are still fairly slow to generate, and are specific to the given password hash and password type they were designed to crack. Since their inception in the early 2000s, they have largely been replaced by more powerful, advanced password cracking threats.
That said, rainbow tables have evolved and still remain a threat to password security, especially if an organization is using an outdated password hashing algorithm. While rainbow tables may be deemed more or less obsolete, using advanced password hashing algorithms and two-factor authentication methods is critical to ensuring an organization’s accounts remain secure.