Security 103: Rainbow Tables

Last week we posted a blog about the difference between hashing and encryption, which you can find here. This week, we go deeper into hashing by investigating the great big security hole in the one-way-ness of the hashing algorithm: rainbow tables.

A rainbow table is basically a giant pre-computed table of known hashes of known passwords. With a rainbow table, given the hash of the password, a hacker can easily retrieve the plain-text form of the user’s actual password! If you’re storing unmodified password hashes, it’s almost certain that someone already has a rainbow table that lists every single one of your users’ passwords with the corresponding hash.

Take a minute and think about that. If your passwords are stored as a simple hashed value, someone already knows all your user’s passwords. Really.

Just to show you how this works, let’s do an experiment. Make up a password, reasonably strong, capital letters, etc. I’m going to use “myAwesomePassword!”. Note that this password is already significantly longer than most.

Now I’m going to take an MD5 hash of this fantastic password. The hash returns the following indecipherable string of letters and numbers: 2d3035c4aa192a5efc84d89cd0331230

Sweet! We should be good, right? Now, head on over to www.md5-hash.com. Go ahead and bang that awesome jumble into that box and hit the Decrypt button. You’ll see something like this:

Decrypted text for MD5 hash 2d3035c4aa192a5efc84d89cd0331230 is myAwesomePassword!

Boom. Sorry, but the hash for your awesome password has already been pre-calculated. And hackers know you’re going to be using that same password for your email. Once they’re in your email, they can find out who you do internet banking with. And log into your LinkedIn account. And Facebook. And, if things are really, really bad, they can log in to your LastPass account.

Whew! Hopefully that’s shown you how not to do password storage. Next week we’re going to start looking at the right way to do it. See you next time!

———————————————————————————-

This post forms one part of our Security series. You can find links to the other editions here:

Security 101: What is Encryption?
Security 102: What is Hashing?
Security Interlude: The real-world difference between Hashing and Encryption
Security 103: Rainbow Tables
Security 104: Improper Password Storage
Security 105: Seasonings (or Salts and Peppers)
Security 106: The Importance of Key Stretching
Security 107: The Hashing Algorithm, and why Bcrypt is your best friend
Security 108: The Other Stuff

———————————————————————————-