Rainbow Tables is the nightmare of passwords

The name Rainbow Tables ίσως παραπέμπει σε κάτι πολύχρωμο και όμορφο αλλά στην πραγματικότητα είναι ένα πολύ ισχυρό εργαλείο .

What are Rainbow Tables? How could such a cute name be so harmful?


The basic idea behind Rainbow Tables:

The scenario is that a malicious user managed to gain access to a server and hijack the database that uses. The database contains usernames and passwords.

Passwords stored in the database are encrypted, so he cannot read and use them. To be useful to him, he must break it of passwords (or at least the admin password).

What are the options to crack encryption of passwords?
It may try to use a brute-force tool, such as John the Ripper, that repeatedly tries to guess every possible combination of a password. His second option is to upload a password dictionary containing hundreds of thousands of passwords commonly used to find out if the list contains the one he is asking for. These methods can take weeks, months or even years, and several computing resources if the passwords are strong enough.

When one password tested on a system is "hashed" using encryption, so the actual password is not sent in plain text through the of communication. This prevents eavesdroppers on your network from intercepting your password. The password hash usually looks like a bunch of letters and numbers that don't make any sense and is usually a different size than the original password. So the password “password”, but has as MD5 hash “5f4dcc3b5aa765d61d8327deb882cf99”

To verify a user, the system gets the hashed value generated by the password fragmentation function on the client and compares it with the amount of hash value that is stored in a table on the server. If the checksums match, then the user has been authenticated and granted access.

The hashing of a password is a 1-way function, which means that the hash can not be decrypted to see what the clear text of the password is. There is no key to decrypting the hash once it is created. There is no "decoder" if you will.

Password hacking programs work in a similar way to the login process. The program starts by getting passwords in plain text format. Through an hash algorithm, such as MD5, it generates the hash values ​​of the codes. It then compares the hashes that came out with the hashes of a database password. If a match is found then the program has discovered the password. As we said before, this process can take a very long time.

Introduction to Rainbow Tables

Rainbow Tables are huge tables full of hash values ​​that are pre-identified with strong plain text passwords. Rainbow Tables essentially allow the hacker to reverse the hash function to determine what the plain text password might be. It is possible (although very rare) for two different passwords to have the same hash, so it is not important for the hacker to know what the original password was.

rainbow tables

Rainbow Tables break passwords in a very short time compared to the methods we described above. However, the process requires a lot of storage space (sometimes Terabytes) for Rainbow Tables. But this is not a problem today.

The they can buy ready-made Rainbow tables to crack passwords of vulnerable operating systems such as Windows XP, Vista, Windows 7, and in general applications that use MD5 and SHA1 algorithms as a hashing mechanism. (many web application developers still use these hashing algorithms).

How can you protect yourself from attacks using Rainbow Tables?

Maybe a stronger password could help. We mention "maybe" because it is not the password weakness that presents the problem, but the vulnerability associated with the hash function used to encrypt the password.

The best advice is to stay away from web applications that limit the length of passwords to a small number of characters. This is a clear sign of vulnerable control routines ς. Οι κωδικοί μεγάλου μήκους και η πολυπλοκότητα μπορεί να βοηθήσει λίγο, αλλά δεν είναι εγγυημένη μορφή προστασίας. Όσο μεγαλύτεροι είναι οι κωδικοί πρόσβασης τόσο μεγαλύτεροι θα πρέπει να είναι οι πίνακες Rainbow για να να τον σπάσουν. Όμως ένας hacker με πολλούς υπολογιστικούς χώρους μπορεί να το κάνει.

If you are a web app developer and you want to protect your audience:

1. Do not use MD5 and SHA1 algorithms for password fragmentation, they are out of date.

2. Use "Salt" encryption in your hash code

Adding "Salt" to the password fragmentation function will greatly help protect your application. To see some coding examples that describe how you can add Salt to your application or site encryption see a great article from WebMasters By Design.

In the coming days we will publish an article on how to break a password using Rainbow Tables.

iGuRu.gr The Best Technology Site in Greecefgns

Subscribe to Blog by Email

Subscribe to this blog and receive notifications of new posts by email.

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).