Posted October 18, 2017
We all know that a strong password is a necessary first step for good cyber hygiene. However, in 2016, 81% of hacking-related breaches leveraged either stolen and/or weak passwords. With numbers like these, it’s no wonder that password-cracking attacks are some of the most used among hackers looking to breach a network.
One tactic we constantly see hackers using to crack passwords is the rainbow table attack. This is when hackers use a pre-computed table of hash values that are pre-matched to possible plain text passwords. It allows hackers to reverse the hashing function to determine the password. A rainbow table attack can crack passwords faster than other techniques, like brute force and dictionary attacks.
Understanding Rainbow Tables
A rainbow table attack is all about matching a hash function. Hash algorithms are one-way functions that turn password data into a fixed length fingerprint that can’t be reversed. Essentially, when a user creates an account, the account information is stored in a database. But that information isn’t stored in plain text because if someone compromised the database, it would expose all the information.
Instead, passwords are put through a one-way hash function and then stored in the database. When the user tries to log in, the hash of the password they entered is checked against the hash of their password in the database. If the hashes match, the user gains access to the account.
If a hacker gains access to a system’s password database, they can use the rainbow table to compare hashed passwords to potential hashes in the table. The rainbow table then gives plain text possibilities with each hash, which the hacker can use to access an account.
Common password security measures that test password entropy are usually ineffective against rainbow table attacks. For example, the GRC password Haystack is a tool that predicts how long it would take to guess a user’s chosen password based on its length and character combinations.
However, the tool doesn’t take into account rainbow tables, which can crack passwords much faster than brute force methods. Some software using rainbow tables can crack a 14-character password in about 160 seconds.
Keys to Preventing Rainbow Table Attacks
Rainbow tables are fast and effective at cracking passwords because each password is hashed the same way. For example, if a hacker has a rainbow table with the hash for the password “johnny12,” any user that uses that password will have the same hash, so that password can easily be cracked. Since most people use common passwords or reuse passwords, it makes cracking easy.
You solve this issue with password salting. A salt randomizes each hash by adding random data that is unique to each user to their password hash, so even the same password has a unique hash. If someone tried to compare hashes in a rainbow table to those in a database, none of the hashes would match, even if the passwords were the same.
There are a few guidelines for effective salting, such as making sure the salt isn’t too short and not using usernames as salts. A salt that’s too short can still be cracked with a high-memory hard drive that can store larger tables. Likewise, adding a username to make the salt unique is too predictable.
You should also avoid using outdated hashing algorithms, such as MD5 and SHA1, as most rainbow tables target systems using those algorithms.
Of course, the best prevention is keeping hackers from accessing your database to run these rainbow table attacks in the first place. Threat actors gain access to networks, servers, and devices through malware and then copy data and try to crack it.
Having a mitigation solution that can automatically detect and block known bad, such as phishing and malware, can stop the earliest stages of hackers trying to access your network. This type of mitigation engine should also provide real-time intelligence into the threats that can compromise your system and helps your security team discover and react to threats more efficiently.