.
.
.
Related Links
What are hashes and Rainbow Tables
Disclaimer: This is a very simplistic explanation of hashes. It is meant to explain what a hash is to a non-technical user. If you are looking for an academic explanation of hashes, look elsewhere.
When a password list is stored as hashed values, hackers have a slightly harder time getting to the passwords. Hackers use something called rainbow tables to quickly defeat hashed passwords.
Before explaining rainbow tables, we should explain hashes. Hashes are a formula applied against a password (string) to make the text unrecognizable. Hashes are not encryption. Hashes are a one way function. Meaning the hash is a unique representation of information and cannot be reversed by another function.
Hashes are good for password storage, because if the user forgets the password, you merely reset it allowing them to create a new one. If you click forgot my password and the website sends you your password, they probably are storing it in plain text.
For example, the password 123456 applied to an MD5 hash will become e10adc3949ba59abbe56e057f20f883e. The same password applied against SHA256 hash algorithm will become 8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92.
Since everyone knows the most popular password is 123456, a hacker just needs to keep a list of common hashes for 123456 and search against the list until they figure out the hashing algorithm used. There are many online database where you can enter an MD5 hash and it will search it's rainbow tables for it. Likewise many hashing function websites secretly build rainbow tables from user input, so don't enter your password into an online hashing page to see what it will look like.
Once they know the hashing algorithm, they can easily start reversing the hash to get the raw passwords.
If a website salts the passwords before hashing them, it makes the hackers job much harder. Here is a list of three common passwords and their equivalent MD5 hash.
| Username | Password | Hash (MD5) |
|---|---|---|
| bob@gmail.com | 123456 | e10adc3949ba59abbe56e057f20f883e |
| nancy@hotmail.com | 123456789 | 25f9e794323b453885f5181f1b624d0b |
| shriva@yahoo.com | password | 5f4dcc3b5aa765d61d8327deb882cf99 |
Since every rainbow table in the world will already have the above three values, the way systems can make hashes stronger is by salting them before hashing.
If a password is salted before it’s hashed, it renders rainbow tables useless and forces the hacker to figure out both the hash and salt to get the password. Using our same list, we can give a salt example. A good salt wouldn’t use the username. It would use something less obvious, and hopefully from a different table or file. For a simple example, we will salt with the username.
| Username | Salted Password | Hash (MD5) |
|---|---|---|
| bob@gmail.com | Bob123456 | 84de1a43e7d1c2f246eb79310c306057 |
| nancy@hotmail.com | Nancy123456789 | da765c6f797bf0b34f1f6a0c585716c4 |
| shriva@yahoo.com | shrivapassword | c0857ed5d8cbec08debfef5d413ff0db |
By adding the salt to the password, we completely change the hash rendering the rainbow table lookup much less successful.
|
Learn to Make Strong Memorable Passwords Today |
|
| ISBN: 978-0615456850 |
.
|
|
||
|
Home | Live CD Listing | Password Worksheet | Third Party Ratings | Purchase | Errata | Contact | News | News Archive | Legal Copyright © 2011, Sustainable Alternatives, LLC | Ligonier, PA 15658 | 724-238-9560 | All Rights Reserved. |
|
|
 |
.
