So are you ones of those people that likes to use the name of your dog, the month you were born or your favorite color as your password? Well, then you probably aren't super into secure passwords, but maybe if you read this blog your life will change forever when I tell you about amazing things like salt and rainbow tables!! OK, that's highly doubtful, but I have to write about something and I thought the fact that salt and rainbows are two key words in password encryption was vaguely amusing so here we go.
What's a Rainbow Table?
When you think of a rainbow, what's the most frightening thing that comes to mind? Is it a movie about a young girl who gets caught in a tornado and is attacked by a witch and giant flying monkeys that you first watched when you were four years old? Or maybe it's stories of small men with vast hordes of gold who live at the end of rainbows and like to play tricks on children? Both of those are pretty good guesses, but today I'm going to go over how something called a rainbow table is used by cyber criminals to steal things from people.
A rainbow table is a tool that people can use to crack passwords on the internet. Thankfully, passwords on the internet are not stored the way you write because if you just put in an 8 letter word that requires one capital letter it would be way too easy to hack. Instead, the passwords are encrypted by taking what you write and turning it into a hash. Hashing takes the specific characters that are written - possibly a simple word - and puts then through a coding blender to make a random jumble of characters that are extremely difficult to reverse engineer.
For example the VNC Hash program turns 'badpass' into 'DAD3B1EB680AD902'
Just like with a blender, it's tough to turn that hash back into '12345'. However, cyber criminals work very hard to figure out how to hack these hashed passwords. Rainbow tables take large numbers of hashes and run them through a dataset and then continue putting the hashes through multiple reduction stages until the tables contain hash values for each plain text character.
Hackers then compare the rainbow table's list of potential hashes to hashed passwords in the database. If the hackers find the correct hash, they can then crack the authentication process without ever even knowing what the original password was. And that would be super annoying for tons of people... I mean, maybe not as annoying as being carried away by a flying monkey, but it would still suck.
Salt to the Rescue
Luckily, there's another term that you'd think has nothing to do with cybersecurity that is employed to try and prevent rainbow tables from working for hackers - salt. That's right salt isn't just useful for giving some flavor to your Nana's incredibly bland soup, it's also a key ingredient in keeping your passwords safe.
Remember earlier when I discussed how programs use hashes to make passwords more secure? Well, adding salt can offer significantly increased complexity to hashes. For example, here is an example of a SHA256 salted hash that turns '12345' into '5994471abb01112afcc18159f6cc74b4f511b99806da59b3caf5a9c173cacfc5'
Salt is something that is added by cryptography programs so that every password hash is unique no matter how lame the actual password you entered was. So even if your password is "password" salt will make it difficult for hackers to get into your account... even if you probably deserve to get hacked in that case.
Top comments (1)
Great blog post!