Rainbow Tables can be used to crack passwords. That’s what you need to know about the topic. […]
Rainbow Tables are actually an old hat: the first research on the subject took place in the early 1980s. Read how Rainbow Tables work and why they no longer play a role in the digitization era.
A Rainbow table is a large, precalculated table designed to turn the output of cryptographic hash functions into plaintext passwords. Rainbow tables were invented by IT expert Philippe Oechslin, who published his work on the topic in 2003. The term “rainbow” refers to the different colors within the table, with which different reduction functions and steps are marked.
However, the method itself is based on research from the early 1980s. At the time, Martin Hellman and Ronald Rivest dealt with the performance losses that lie between the processing time and storage requirements of crypto analyses (“trade-off”).
As a rule, companies have been storing their users ‘ passwords in hash format for several years. Hashing algorithms turn passwords into cryptic strings, making them unrecognizable to outsiders. Technically, such a hash function can be reversed-with the help of brute force attacks. However, the larger the number of passwords in question, the longer it will take to identify the right one.
When it comes to cracking a variety of passwords, Rainbow Tables provide a significant reduction in complexity because there is a ready-made data set with password hashes. The passwords can be matched with this data set. In this process, the hash files-in simple terms-are split into small parts and correlated with letters and words using calculations until the plaintext password is determined.
Speaking to CSO, Rainbow Table creator Oechslin explains: “Rainbow Tables allows you to reduce the hassle of cracking a password by spending large amounts of. For this, the passwords are organized in chains and only the first and last element of each chain is stored. The tables contain only a fraction of the passwords (for example, one in 100,000) and make it possible to crack all passwords with a fraction of the effort. The larger you make the table, the faster the password is cracked. Therefore, one speaks of a trade-off.“
Over the years, Rainbow Tables have proven to be particularly effective against the popular but particularly weak hash algorithm LM-Hash, which was used in the early days of Windows. The rainbow tables were a means for security researchers to check the effectiveness of password security standards. On the other hand, they have made it easier for threat actors to crack passwords for malicious purposes.
Preventing rainbow table attacks is easy, explains Javvad Malik, security officer at KnowBe4: “A ‘salt’ must be added to every password in hash form. If an attacker only owns the Rainbow table, but not the Salt value, he will not be able to uncover the password. This is something like taking a fingerprint and then stamping a random pattern on top of it – no access without perfect match.“
Although almost all companies nowadays store their passwords in hash format by default,” you will always find a developer who has developed an app or something else with a frighteningly bad hashing mechanism, ” Malik says. Such conditions cannot be ruled out for companies either, which opens the door for rainbow table attacks.
Attackers who cannot resort to newer or more effective methods to crack passwords could also resort to the traditional Rainbow table approach to “try their luck”:” After all, the rainbow tables still work very well in some cases, for example, when GSM-A5/1 encryption is used, ” knows cryptographer JP Aumasson.
Compared to modern password cracking threats, however, Rainbow Tables are outdated, the concept has long been replaced by more advanced, more powerful methods with fewer restrictions (keyword salt): “Rainbow tables rarely offer added value compared to GPU-based cracking, as it takes a long time to generate them and they are only very specific for certain password hashes and types,” explains the encryption specialist.
Oechslin agrees, adding that more modern techniques have pushed the Rainbow Tables almost completely into the background over the past decade: “Except for some special cases, they are superfluous. With alternative, GPU-powered methods, the speed at which hashes can be cracked has increased enormously,“ he says.
“Modern password cracking is highly dynamic and requires agility, flexibility and scalability. Rainbow tables are static, rigid and not scalable at all-they are the antithesis of modern password cracking. Even if you don’t have the performance of GPUs, modern techniques will give you a much higher hash yield than Rainbow Tables,“ says Jeremi Gosney, founder and CEO of Terahash.
However, Rainbow tables are still relevant in education and training, as Malik emphasizes: “In order to develop an overall understanding of what security professionals should pay attention to when it comes to passwords, rainbow tables are still useful. In addition, they are a good example of how IT security has improved over the years.“
This post is based on an article from our US sister publication CSO Online.
* Michael Hill writes for our US sister publication CSO Online.