Its not a new thing that passwords have to be kept safe. Unfortunately you cant protect every part of every system and you have to face the fact that some day your system may be hacked. Up till recently it would be safe enough to hash passwords using MD5 or SHA1 and put in some relatively safe place.

Unfortunately times have changed :-)

What are the rainbow tables?

I think it was a few years ago that i heard for the first time of rainbow tables. The idea is dead simple. Put a few computers together, let them generate all possible combinations of passwords people could come up with and push them into one big database. Why bother?

If you want to decode hash code to its original free text form you would have to brute force it. Hashing functions are one way so you cant figure out what was the oryginal text. But if you prepare up front and generate hundreds of millions of possible passwords? Well then the time complexity is completly different. All you have to do is walk through the database index :-) Assuming you created index on the hash value ;-)

Rainbow table is just such table with tens of millions of possible passwords and their hash values indexed by the hash.

Google = the ultimate open source rainbow table ;- )

You think ... ok so who would bother?! it will take you months or years to generate big enough set of passwords right? Well not any more.

It was just recently that i came across the fact that you can now search in google for your hash value. Aparently there are sites publishing huge rainbow tables so passwords like 'Perfect2' don't cut it any more! Hash of such password is '3e5e07f542b2239ec511bd5b32b01017' and all you have to do is google for it!

Protecting yourself from rainbow table attacks

So what do we do now?

Well first of all really keep an eye on the passwords, dont assume hash is safe to pass around any more.

Second of all (and more importantly) make sure that every password in your system has some long random string added to it before you calculate the hash. For example add hash like this to config file of your app:

'431!fqewF!$G1rvefrG+--3#;%$3EsedrfGS*KGRfJJ0-684qgf1e4f' 

Then every time you calculate a password hash just concatenate it with the password provided by user. It will still produce the same looking 32 characters string but the chances of anyone bruteforcing password like this is much lower.

The difference is that if someone would steal your passwords from the database he will not be able to simply look up passwords using the rainbow table. His rainbow table simply wont have the values you have encoded. Even if attacker steals the code and finds out the magical 'salt' he wont be able to use his rainbow tables. They will be useless. He would have to start bruteforce again from scratch using your salt and all possible passwords he can come up with .... and it will take a lot of time if your passwords are strong.

It can still happen that in year or two there will be even bigger set of rainbow tables available via google but for now its safe enough :-) Make sure you have long and complex salt and make sure your passwords have 8 chars with digits ... you should be safe for a few years :-)