Rainbow Tables and Brute Force Attacks

Server Config
1

Can someone help me get a better understanding of how “Rainbow Tables” and “Brute Force Attacks” work?

I get the part that a Rainbow Table is just a cross-reference between “Readable Passwords” and “Hashed Passwords”.


Password	Hashed Password
LetMeIn		14325890
password	49028655
guess		00743101

I think what confuses me is how having a pre-calculated “Rainbow Table” would really be of any value to a hacker?

So I know that “password” hashed equals “49028655”…

But other than checking a few obvious hashes like that, you’d still have to make hundreds or millions of attempts to guess the right hash!!

(I thought that any system worth its weight would lock you out after maybe 3 failed attempts?!)

Debbie

2

The value in rainbow tables is running them against data such as a complete list of passwords in a system that has already been acquired (e.g by sql injection or other exploit). There’s no relevance to using them against a live login on the web.
The millions of attempts can be run extremely quickly on the offline data. Even without rainbow tables cracking hashes can be done in many case in the space of hours to a few days using cloud resources like amazon gpu clusters. The key is not to let people access your database to acquire password hashes, and to use individual salts so that full table cracks can’t be performed.

3

I have been lead to believe - by others - that if I use something like this…


function hash_password($password, $salt = null){
	if (!is_null($salt))
		$salt = substr(sha1(uniqid(mt_rand(), true)), 0, 10);
		// this should be a long, random string
		// stored somewhere safe
		$key = 'abcdef';
		$hash = hash_hmac('sha512', $password . $salt, $key);
		return array($hash, $salt);
	}
}

…that it will be virtually impossible to reverse-engineer or other hack my Users’ passwords.

Do you agree or disagree??

Debbie

4

Yes this is secure, as long as you use unique salts (which it does by default if you don’t pass one to the function). If you use static salts it’s theoretically possible to analyse the statistics of large tables against common password lists to accelerate a full table crack.

5

Okay, thanks!

Debbie