As with many security measures, hashing isn’t foolproof. How can an attacker discover what users’ passwords are?
One common way to attempt cracking hashed passwords is through the use of rainbow tables.
Rainbow tables are large lookup databases that consist of pre-computed password-hash combinations which correlate plaintext passwords with their hashes.
Rainbow tables are complex and consist of two different types of functions:
- A Hashing function: Used by the table must match the hashed password you want to recover.
- A Reduction Function: Transform a hash into something usable as a password. However, it’s important to understand that the reduction function doesn’t reverse the hash value, so it doesn’t output the original plaintext (i.e. the password), because this isn’t possible, but instead outputs a completely new one.
In essence, rainbow tables are massive lookup tables that can crack complex passwords significantly faster than using traditional password cracking methods.
So what are some measures we can take to protect ourselves from rainbow table attacks? One common technique is the use of salts. A salt is a random value that is added to the input of a hashing function in order to make each password hash unique even in the instance of two users choosing the same passwords. Salts help us mitigate hash table attacks by forcing attackers to re-compute them using the salts for each user.