Hashes, salts, and rainbow tables may sound like an avant-garde piece of art. But they’re all related to cybersecurity, primarily in the context of password management.
If you’re wondering how that impacts you, this article is for you.
Below, we reveal how rainbow table attacks work and what hashes and salts do to protect your most important business assets.
What is a Rainbow Table Attack?
Definition of a rainbow table attack
In a rainbow table attack, a hacker compares the hashes they stole to precomputed ones from a table. Every time there’s a match, they reconstruct the process that led to that match. This allows them to identify the original plaintext passwords associated with the stolen hashes.
The hacker then uses the plaintext passwords to gain unauthorized access to user accounts.
Rainbow tables are color-coded (hence the name of the attack) and consist of precomputed hashed passwords and their plaintext counterparts.
In 1980, Martin Hellman pioneered an algorithm for pre-computing and storing password hashes. Hellman’s method of cryptanalysis (the science of decrypting ciphertext), however, was resource-heavy and time-consuming.
Philippe Oechslin created rainbow tables in 2003 to address the limitations in Hellman’s method. Rainbow tables reduce the time needed for password cracking but require large amounts of memory or storage space. This is what’s called the “time-memory trade-off.”
As for how big rainbow tables are, they vary in size -- from small (35GB) to large (1TB).
At this point, you may be wondering, "What are the top tools for a rainbow table attack, if any?”
Good question. Today, attackers use several specialized tools, and they include:
- Password hash extractors like pwdump7 and Mimikatz to dump or extract hashed passwords from Windows systems
- Rainbow table generators like RainbowCrack, an open-source tool that generates rainbow tables and cracks Windows and Linux passwords
How rainbow table attacks compromise passwords
Now, we’re often asked: What’s the difference between a rainbow table attack and a brute force attack?
Here’s our answer:
Cybercriminals are primarily interested in speeding up the time it takes to crack stolen hashes. Generally, most brute force techniques are time-consuming. This is because the techniques rest on trying every possible combination of characters.
Meanwhile, rainbow tables shorten the time it takes to crack password hashes. Attackers can simply match stolen hashes to precomputed ones in their rainbow tables. Once they have the original plaintext passwords, they can readily access your business or banking accounts.
Common targets of rainbow table attacks
The most common targets of rainbow table attacks are:
- Web applications, e-commerce platforms, and social media sites where password reuse is a common practice
- Databases with weak access control measures
- Legacy systems using outdated cryptographic hashing algorithms like MD5, SHA-1, and SHA-2
- Active Directory accounts still using outdated NTLM hashing algorithms
Generally, attackers target platforms with weak password rules and outdated hashing practices. A wide attack surface awaits them there: 65% of people worldwide reuse the same password across multiple accounts, while a whopping 60% use the same password for most, if not all websites.
How Does a Rainbow Table Attack Work?
Precomputed hash chains and rainbow tables
The process of perpetrating a rainbow table attack involves several steps.
First, the hacker starts creating a precomputed rainbow table by generating a list of possible user passwords.
Each plaintext password is then hashed using the victim or target system’s hash function, such as MD5 and SHA-1.
Next, a reduction function is applied to derive a new plain-text password. The new plain-text password is then hashed. This hashing-reducing process is repeated many times, which results in a hash chain.
A rainbow table contains many such precomputed hash chains. Each chain has a maximum length, created by alternating hash and reduction function operations.
In the final table, only the first password and the last hash value of each chain is displayed. This reduces the needed storage space and allows passwords to be found more quickly.
The process of cracking passwords using rainbow tables
Next, the hacker focuses on acquiring a list of stored hashes from a target system.
Some of the most popular methods for stealing hashes are:
- Social engineering attacks like phishing
- SQL injections
- Network sniffing
- Exploiting vulnerabilities in poorly secured databases
Once the hacker has a list of stolen hashes, they perform a reverse lookup in the rainbow table.
For each stolen hash:
- If no match is found in the table, a reduction function is applied to the stolen hash to create a plaintext password. Then, the plaintext is hashed. This process of hashing and reducing is repeated until either a match is found, or the maximum chain length is reached without finding a match.
- If a match is found, the attacker reconstructs the chain from the beginning until they arrive at the stolen hash. Once they reach the stolen hash, the plaintext immediately preceding it is the original password (from Making a Faster Cryptanalytic Time-Memory Trade-Off by Philippe Oechslin)
Risks and consequences of rainbow table attacks
The two greatest risks associated with rainbow table attacks are:
- Mass password compromise: The attack can leave your business accounts vulnerable, with customer data and financial systems accessible to the attackers.
- Operational disruptions: Your business may experience a massive loss in productivity, as personnel resources are diverted to deal with the attack. Overall, this can negatively impact your delivery of products and services.
Examples of Rainbow Table Attacks
Notable instances of rainbow table attacks
So, what are some real-world examples of rainbow table attacks?
In 2012, hackers stole more than 110 million hashed passwords from LinkedIn – and uploaded them to The Real Deal and LeakedSource, two illegal sites peddling hacked data to anyone who wanted them. Both marketplaces are now defunct; LeakedSource was purportedly shut down by the DOJ in 2017.
The main reason those hashed passwords weren’t “safe”? None of them were salted prior to hashing.
Both hashes and salts are key elements in cryptography. A hash function takes an input (such as a master password) and produces a fixed-length string of characters.
Meanwhile, a salt is a unique, random value added to the input before it’s hashed. Salting adds an unknown element and is an extra layer of defense against rainbow table and dictionary attacks.
However, salting isn’t a cure-all if outdated hash functions are used.
In 2013, Ubuntu Forums experienced a breach that exposed 1.8 million usernames, email addresses, and hashed passwords. Although the passwords were salted, they were hashed with MD5, a hashing algorithm susceptible to rainbow table attacks.
Impact of rainbow table attacks on individuals and organizations
Security breaches can have a devastating impact on people and organizations:
- Rapid rise in victims: An attack has real-world consequences, exposing the most sensitive customer and employee PII (personally identifiable data). In 2023 alone, 3,205 publicly reported data breaches impacted more than 353 million people worldwide.
- Data exfiltration: If your business falls victim to a rainbow table attack, the loss of trade secrets (manufacturing processes, inventions, and source code) can result in decreased revenues, market share, and competitive advantage.
- Legal and regulatory repercussions: Businesses that experience a breach or security incident often face lawsuits from disaffected customers and potential fines from regulatory agencies for violating data protection laws like GDPR, HIPAA, CCPA (California), and PCI DSS.
Lessons learned from past rainbow table attack incidents
Past attacks have taught us the importance of:
- Salted hashes and strong hashing algorithms like Argon2
- Regular security audits that uncover vulnerabilities such as poor configuration of hashing algorithms and the use of predictable salts
- Strong password policies and adaptive MFA for an added layer of security
Protecting Against Rainbow Table Attacks
Best practices for password security
Below are five of our best practices for password security:
- Enforce strong passwords based on current NIST and CISA policies.
- Implement an employee training awareness program that includes workshops, webinars, and interactive simulations.
- Encourage the use of password managers like LastPass.
- Keep all security solutions patched and conduct regular audits to identify outdated cryptographic algorithms.
- Consider using passwordless authentication to keep your most critical business assets safe.
Implementing strong encryption methods
Modern hash functions like Argon2, bcrypt, and scrypt are an important first line of defense for securing your most sensitive credentials.
You’ll also want to:
- salt your passwords before hashing
- encrypt your data with AES-GCM-256 -- AES is a block cipher, which means it turns data in plaintext blocks into ciphertext blocks. Meanwhile, GCM stands for Galois/ Counter Mode, which means AES-GCM-256 operates in GCM mode to provide both encryption and authentication in a single cryptographic operation.
Using multi-factor authentication to mitigate rainbow table attacks
Adaptive or passwordless MFA adds an extra layer of security beyond passwords.
Here’s how: Many passwordless authentication systems require device-based, biometric, or contextual authentication.
So, an attacker would either need to pass a facial recognition scan or have access to your mobile device to complete the authentication process.
Understanding Rainbow Table Attack Risks
Consequences of falling victim to a rainbow table attack
In our digital age, news of a rainbow table attack can spread quickly. Negative social media coverage can exponentially worsen the impact to your business.
It can create a culture of fear in your workplace and severely diminish employee morale, as friends and acquaintances question your brand’s reliability and resilience.
And although this Pew Research study reports that people who get their news from social media have reservations about its accuracy, influencers have an outsized impact on which news “sticks.”
With 71% of consumers trusting the opinions of influencers, your business will almost certainly face greater public scrutiny after a security breach.
The financial and reputational impact of rainbow table attacks
The consequences of a rainbow table attack are most severe in two areas:
- Financial: This includes direct costs from digital forensics, incident response & recovery, public relations & advertising, and lost partnership opportunities. After a data breach, for example, hospitals spend 64% more on advertising.
Your business will also be expected to pay for credit monitoring or identity theft protection services for affected customers. Finally, your business will incur extra expenses from upgrading your IT infrastructure to prevent future attacks.
- Reputational: In the aftermath of a breach, widespread publicity can lead to entrenched negativity about your brand. More than 80% of consumers will talk about their experience with their friends and family, while 33.5% will complain on social media.
Steps to take if your passwords have been compromised
If your passwords have been compromised:
- Immediately update all your passwords with a password generator.
- Enable adaptive MFA with a security-conscious password manager.
- Monitor your banking or financial statements for unauthorized transactions.
- Implement a credit freeze or fraud alert with the three credit bureaus Equifax, Transunion, and Experian.
- Procure data protection services such as Transunion’s AI-powered BreachIQ to get a personalized mitigation plan.
How LastPass Can Help Protect Against Rainbow Table Attacks
Encryption
That said, a proactive approach is critical to protecting your credentials. This brings us to the question: What defeats a rainbow table attack?
The answer: modern hash algorithms, unique salts, secure password storage, strong passwords, and continuous breach monitoring.
At LastPass, your master password is salted and hashed to protect the contents of your vault. A key benefit is that hashes are one-way functions, so they can’t be reversed.
Since 2023, we’ve added Argon2 key derivation to our now standard 600,000 rounds of PBKDF2 SHA-256 to repel brute force and rainbow table attacks.
Implementing these many iterations is a key stretching technique that enhances the security of your data.
A salt also adds random data to your master password – making it more difficult for attackers to crack.
Along with military-grade AES-GCM-256 encryption, your data is protected at rest or in transit. This highly secure encryption is also resistant against GPU attacks.
Generating strong and unique passwords
You know strong passwords are a critical first line of defense against attacks. But your to-do list is long, and the prospect of creating complex passwords for every account can be overwhelming.
At LastPass, we have your back: now you can relax and let our Password Generator do all the work for you.
Breach monitoring
Worried about your data appearing on the Dark Web? With LastPass, you get advanced Dark Web Monitoring, which monitors your credentials 24/7. You get immediate alerts if your data has been compromised or if it has been identified on Dark Web sites.
And you’ll also get an alert if any of your passwords have been identified in a data breach. More importantly, each URL you add to your vault is stored encrypted. If you’re ready to start enjoying effortless security and peace of mind, sign up for a free, no-obligation LastPass Business trial today.
