What is a Rainbow Table Attack?

Rather than keep your password as plaintext, which could be stolen, most systems create a password hash. This is the scrambled version of a password that is stored instead of the password itself. When you type your password, the system runs it through a one-way mathematical function to produce a hash that can be used to check your password without knowing it.

A rainbow table attack is a password cracking method in which an attacker uses a precomputed table, efficiently mapping cryptographic hashes to plaintext passwords to “reverse” stolen hashes into usable passwords.

Rainbow table attacks work by abusing the hashing process used for passwords. A password is often converted into a hash value when the user enters it, and then compared to a stored hash for authentication.

If an attacker gains access to a list of hashes exposed through a data breach, insider threats, insecure password database, etc., they can then use a precomputed rainbow table to match these exposed hashes to likely plaintext passwords. Today, rainbow tables are commonly available online and still highly effective against older hash types and systems such as Windows Active Directory.

For a rainbow table attack to work, the following conditions must be true:

• Password salting is not implemented. Salting is the practice of adding a unique, random string of characters to a user’s password before it is converted into a hash.

• The algorithm that the system used to transform the password into a hash is known. Common tools can quickly identify if a common format was used, based on the structure of the hash.

• The password was hashed with a fast algorithm like MD5, SHA1, or NTLM. Slow algorithms (bcrypt, scrypt, Argon2id) increase the computational cost of generating a rainbow table, making them impractical to build.

Most modern systems defend against rainbow table attacks, as they use salting and slow hashing algorithms as general practices. These are more likely to be targeted using password cracking tools running on graphics cards. However, many legacy systems are still vulnerable to this type of threat.

An example of a rainbow table attack would start with the hashes stored in a hypothetical password database being leaked during a data breach. If this database contained unsalted passwords, an attacker could then use a rainbow table to match these exposed hashes to plaintext passwords and illicitly log into a user’s account.

A rainbow table attack precomputes large sets of possible plaintext passwords and their corresponding hashes, enabling attackers to quickly convert hashes that they encounter into passwords. A dictionary attack, on the other hand, tests common passwords against a system or a set of hashes.

Dictionary attacks can often be mitigated by automatically locking a user’s account after a certain number of wrong attempts. However, rainbow table attacks are not affected by account lockout attempts, as the process of matching the hashes and plaintext passwords is mostly performed offline. The correct password is then entered once, at the time of the attack.

To effectively defend against rainbow table attacks, apply the following best practices:

• Implement password salting: The random characters added to passwords during salting will cause unique hashes to be generated for every user, making precomputed rainbow tables ineffective.

• Generate long, complex passwords: Rainbow tables are precomputed for specific character sets and password lengths, making complex passwords more challenging to use in this type of attack.

• Hash with slow, adaptive algorithms: This translates into high computational / memory requirements that make it impractical for the hashes to be used when building out a rainbow table.

• Implement system-level protections that defend against all types of password attacks: Apply multifactor authentication (MFA) and additional layers of protection such as password encryption, alongside threat detection capabilities to immediately flag and block early signs of brute force attack.

• Eliminate standing privilege and enforce least privilege: It is important for every account to only have the exact amount of privilege needed, precisely when it is needed. Then, even if an account were to become compromised via a password attack such as a rainbow table attack, the attacker would likely not be able to escalate privileges or cause other significant damage.

Contact BeyondTrust to learn more about improving password and identity security.