Rainbow Tables is the nightmare of passwords

The name Rainbow Tables perhaps it refers to something colorful and beautiful but in fact it is a very powerful hacking tool.

What are Rainbow Tables? How could such a cute name be so harmful?

security

The basic idea behind Rainbow Tables:

The scenario is that a malicious user was able to access a server and intercept his database. The database contains usernames and passwords.

Passwords stored in the base are encrypted, so they can not read and use them. In order to be useful it will have to break encryption of the codes (or at least the administrator password).

What are the options to crack encryption of passwords?
It may try to use a brute-force tool, such as John the Ripper, that repeatedly tries to guess every possible combination of a password. His second option is to upload a password dictionary containing hundreds of thousands of passwords commonly used to find out if the list contains the one he is asking for. These methods can take weeks, months or even years, and several computing resources if the passwords are strong enough.

When a password is tested on a system, it is "hashed" using encryption, so the actual password is not sent in plain text across the communication line. This prevents those who "listen" to your network from stealing the password. The password hash usually looks like a bunch of letters and numbers that make no sense and is usually different in size from the original password. So the password "password", but has as MD5 hash the "5f4dcc3b5aa765d61d8327deb882cf99"

To verify a user, the system gets the hashed value generated by the password fragmentation function on the client and compares it with the amount of hash value that is stored in a table on the server. If the checksums match, then the user has been authenticated and granted access.

The hashing of a password is a 1-way function, which means that the hash can not be decrypted to see what the clear text of the password is. There is no key to decrypting the hash once it is created. There is no "decoder" if you will.

Password hacking programs work in a similar way to the login process. The program starts by getting passwords in plain text format. Through an hash algorithm, such as MD5, it generates the hash values ​​of the codes. It then compares the hashes that came out with the hashes of a database password. If a match is found then the program has discovered the password. As we said before, this process can take a very long time.

Introduction to Rainbow Tables

Rainbow Tables are huge tables full of hash values ​​that are pre-identified with strong plain text passwords. Rainbow Tables essentially allow the hacker to reverse the hash function to determine what the plain text password might be. It is possible (although very rare) for two different passwords to have the same hash, so it is not important for the hacker to know what the original password was.

rainbow tables

Rainbow Tables break passwords in a very short time compared to the methods we described above. However, the process requires a lot of storage space (sometimes Terabytes) for Rainbow Tables. But this is not a problem today.

Hackers can buy ready-made Rainbow boards to crack passwords for vulnerable operating systems such as Windows XP, Vista, Windows 7, and more generally applications that use MD5 and SHA1 algorithms as a code fragmenter. (Many web application developers still use these hash algorithms).

How can you protect yourself from attacks using Rainbow Tables?

Maybe a stronger password could help. We mention "maybe" because it is not the password weakness that presents the problem, but the vulnerability associated with the hash function used to encrypt the password.

The best advice is to stay away from web applications that limit the length of passwords to a small number of characters. This is a clear sign of vulnerable authentication routines. Long codes and complexity may help a little, but they are not a guaranteed form of protection. The bigger the passwords, the bigger the Rainbow boards have to be to break it. But a hacker with a lot of computing space can do it.

If you are a web app developer and you want to protect your audience:

1. Do not use MD5 and SHA1 algorithms for password fragmentation, they are out of date.

2. Use "Salt" encryption in your hash code

Adding "Salt" to the password fragmentation function will greatly help protect your application. To see some coding examples that describe how you can add Salt to your application or site encryption see a great article from WebMasters By Design.

In the coming days we will publish an article on how to break a password using Rainbow Tables.

iGuRu.gr The Best Technology Site in Greeceggns

Get the best viral stories straight into your inbox!















Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).