This data must be “cracked,” either by guessing every possible combination of characters, or by loading a dictionary of commonly used strings. The results of both procedures can consume time and computing power, and are random at best. By using a Rainbow Table, or, large array of pre-computed hash values and plain text, the odds of recovering sensitive data are simplified and increased.
How a Rainbow Table Works
In order to understand how a Rainbow Table works, you must first understand the difference between hashing and encryption. A general rule of thumb suggests that anything that is encrypted can also be decrypted. This, of course, depends on the availability of an encryption key. For most applications, the keys to encrypted data are stored in a database, leaving them to vulnerable to database hacks.
Hashing, however, can be thought of as a basic form of encryption which maps plain text to a randomly generated string of characters. This one-way function is typically irreversible—that is, without reduction, which is also a one-way function. A Rainbow Table is comprised of pre-computed chains that are designed to reduce (or reverse) hashing to reveal sensitive information.
In the event of a collision, or, when two or more different strings result in the same hash, a Rainbow Table may ultimately fail. This is because collisions can cause chains to merge and loop, diminishing the odds of reducing the correct hash, or one at all. This can be resolved by sequencing the reduction functions, but will ultimately change how lookup and indexing operations work.
In comparison to other password cracking methods like bruteforce and dictionary attacks, a Rainbow Table combines the benefits of speed and low memory consumption. Even still, a good amount of non-volatile space may be needed to store them. Given the plentiful and inexpensive options available today, hackers can easily purchase the storage devices they need. In other instances, they might even purchase actual Rainbow Tables and hash collections for a number of operating systems, including Windows XP, Vista and 7.
Protecting Yourself from Rainbow Tables
The most logical way to protect yourself against a rainbow table attack is to use stronger (lengthier) passwords which contain upper and lower case letters, numbers and even special characters if they are allowed. Weak and easily-guessed passwords are more prone to being hacked or used by other users. The latter case might expose you to even more risk in that a user can access your account by combining your username with a password you both are using.
By the same token, you should avoid using those web applications with password-length restrictions, as well as those that do not require you to frequently change your password. These may be signs of poor authentication rules that ultimately point back to the software developer. Responsible engineering means avoiding the use of outdated hashing algorithms and cryptographically securing mapping functions. Doing so prevents the success of a rainbow table attack and secures the data and privacy of your users.