Rainbow table attacks are very effective in cracking even the supposedly long passwords. However, protecting yourself is easy and we’ll tell you how. Stay tuned!
We are always told to set long strings of passwords for better online security. While it’s true to an extent, cybersecurity is way more complex than setting an extensive string of alphanumeric characters.
While hacking a long password is typically an uphill task, this is a cakewalk if you have the password hash (explained in the next section) and the required rainbow table.
What Is a Rainbow Table Attack?
Not as complex (or colorful), rainbow tables are datasets (like this: free rainbow tables) of hashes matching the common (or leaked) passwords.
To understand their importance in an online attack, we must understand how passwords work.
A password database generally stores user-specified passwords in secret (hashed) format for added security. They achieve this by encrypting the plain text passwords using any hashing algorithm.
So, whenever we enter a password in any online portal (say Gmail), it creates a hash and gets checked against the saved hashes. And we successfully log in if the generated hash matches the one in the database.
For illustration, I have used our own Geekflare’s Generate Hash tool; take a look:
So, if someone is using a (dangerously simple) password as
geekflare123, they will have a corresponding hash saved as
c0b78d5679f24e02fe72b8b30f16bbda in the database.
Notably, the hashing algorithm deployed to generate this hash is MD5.
Now suppose a bad actor illicitly gets access to the hash database; they can use a password-cracking tool that uses a rainbow table (for the MD5 algorithm) to match this hash revealing the original password, which is geekflare123.
Next, they couple it with your username, and the specific account gets hacked.
This is called a rainbow table attack.
Also read: How to Crack Passwords Using Hashcat Tool?
Steps to Protect Against a Rainbow Table Attack
A rainbow table attack is a result of a compromised hash database. Either the hacker has direct access to it or leveraged whatever is already available on the dark web.
In any case, security against such attacks depends on you and the password database admin.
As an individual, you can:
- Set unique passwords and keep checking their status against dark web leaks. You can do this by using dark web monitoring tools, which help to verify if a credential is exposed. Subsequently, change the specific password to remain safe.
- What’s even better is using multifactor authentication. It adds one more variable to the equation for robust security. One can simply use authenticator apps or hardware security tools such as Yubikey.
- However, the best way forward is passwordless authentication. They are arguably more secure than using passwords. No passwords, no password hacks. This works by using magic login links, TOTPs, biometrics, etc. Still, not all online portals have such advanced login infrastructure. But use them if they are available.
There are a few more things that are primarily aimed at password management systems.
- Adding salt (extra characters) to the passwords before hashing makes them unique, rendering the available rainbow tables useless. Besides, the salt shouldn’t include the username for top-notch randomness.
- One should avoid deploying outdated hashing algorithms like MD5, SHA1, etc. Instead, SHA256 or SHA512 are currently better options until something more secure comes up.
- Additionally, the stored hashes can be enhanced by rehashing the first hash with salt and the original password. The process can be repeated multiple times, making hacking exponentially difficult due to computing limitations.
Are Rainbow Table Attacks Still a Threat?
These attacks are increasingly going obsolete as salted hashes are the new normal. In addition, advanced hashing algorithms are getting common, making rainbow table attacks a thing of the past.
Because creating a rainbow table on its own is very tough. And an attacker is often limited to the available rainbow tables, which serves no purpose if the listed precautions are taken.
Cybersecurity is a continuous tussle between us and the internet. You can’t let your guard down, and it’s good to stay updated with the current best practices.
Though rainbow table attacks might not be relevant in the present context, the listed measures are good to take note of and apply immediately.
PS: But rainbow table attacks aren’t alone, and there are a few more types of cybercrimes to beware of.