Healthy Passwords



What are hashes and Rainbow Tables

Disclaimer: This is a very simplistic explanation of hashes. It is meant to explain what a hash is to a non-technical user. If you are looking for an academic explanation of hashes, look elsewhere.

When a password list is stored as hashed values, hackers have a slightly harder time getting to the passwords. Hackers use something called rainbow tables to quickly defeat hashed passwords.

Before explaining rainbow tables, we should explain hashes. Hashes are a formula applied against a password (string) to make the text unrecognizable. Hashes are not encryption. Hashes are a one way function. Meaning the hash is a unique representation of information and cannot be reversed by another function.

Hashes are good for password storage, because if the user forgets the password, you merely reset it allowing them to create a new one. If you click forgot my password and the website sends you your password, they probably are storing it in plain text.

For example, the password 123456 applied to an MD5 hash will become e10adc3949ba59abbe56e057f20f883e. The same password applied against SHA256 hash algorithm will become 8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92.

Since everyone knows the most popular password is 123456, a hacker just needs to keep a list of common hashes for 123456 and search against the list until they figure out the hashing algorithm used. There are many online database where you can enter an MD5 hash and it will search it's rainbow tables for it. Likewise many hashing function websites secretly build rainbow tables from user input, so don't enter your password into an online hashing page to see what it will look like.

Once they know the hashing algorithm, they can easily start reversing the hash to get the raw passwords.

If a website salts the passwords before hashing them, it makes the hackers job much harder. Here is a list of three common passwords and their equivalent MD5 hash.

UsernamePasswordHash (MD5)
bob@gmail.com 123456 e10adc3949ba59abbe56e057f20f883e
nancy@hotmail.com 123456789 25f9e794323b453885f5181f1b624d0b
shriva@yahoo.com password 5f4dcc3b5aa765d61d8327deb882cf99

Since every rainbow table in the world will already have the above three values, the way systems can make hashes stronger is by salting them before hashing.

If a password is salted before it’s hashed, it renders rainbow tables useless and forces the hacker to figure out both the hash and salt to get the password. Using our same list, we can give a salt example. A good salt wouldn’t use the username. It would use something less obvious, and hopefully from a different table or file. For a simple example, we will salt with the username.

UsernameSalted PasswordHash (MD5)
bob@gmail.com Bob123456 84de1a43e7d1c2f246eb79310c306057
nancy@hotmail.com Nancy123456789 da765c6f797bf0b34f1f6a0c585716c4
shriva@yahoo.com shrivapassword c0857ed5d8cbec08debfef5d413ff0db

By adding the salt to the password, we completely change the hash rendering the rainbow table lookup much less successful.

McAfee SECURE sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams




Home | Live CD Listing | Password Worksheet | Third Party Ratings | Purchase | Errata | Contact | News | News Archive | Legal

Copyright © 2011, Sustainable Alternatives, LLC | Ligonier, PA 15658 | 724-238-9560 | All Rights Reserved.

 Sustainable Alternatives, LLC BBB Business Review