Proton

What is a rainbow table attack and how to prevent it?

Hackers use various methods to crack passwords, and one of them is the rainbow table attack. In certain cases, this method can be faster than dictionary attacks(new window) or credential stuffing(new window).

In this article, we explore how rainbow table attacks work and discuss ways to prevent them.

Rainbow table attack definition

A rainbow table attack is a cryptographic attack hackers use to break into systems by figuring out passwords from their hashes, which act as digital fingerprints. A hash function maps each password with a corresponding string of characters.

Unlike a brute-force attack(new window) that tries every possible password one by one, a rainbow table attack doesn’t require guesswork once the table is precomputed. This precomputed table (known as a rainbow table because of the way it looks if color-coded) is essentially a large database of hash value pairs linked to their plaintext counterparts.

How a rainbow table password attack works

1. Creating a list of passwords

When creating rainbow tables, hackers often target the most likely and commonly used passwords with simple patterns (for example, 123456, password, or qwerty), dictionary words, or password dumps obtained from data breaches.

2. Selecting the hash function and converting the passwords

Rainbow table attacks work well with simpler, faster cryptographic hash functions like MD-5, SHA-1, LM Hash, or NTLM Hash since they don’t use security features like salting (adding random data to each password before hashing) or key stretching (repeatedly hashing the password).

Password hashed with MD-5Plaintext password
482c811da5d5b4bc6d497ffa98491e38password123

Each plaintext password runs through the hash function to generate its corresponding hash, which has a unique, fixed-size string of characters as in the example above. Once all passwords are hashed, the hacker can use them to create the rainbow table.

3. Creating the rainbow table to reveal passwords

A rainbow table can be seen as a big Excel sheet, with hashed passwords in the first column and plaintext passwords in the second. If a breached hash is present in this table, that means the breached password is the cell next to it.

Rainbow table attack examples

Here are two hypothetical examples to illustrate how a rainbow table attack could play out:

  • A hacker identifies a social media site that uses an outdated hashing algorithm without any salting. By exploiting a SQL injection flaw, the attacker extracts the hash values of user passwords from the website’s database. Then they use a precomputed rainbow table to quickly convert thousands of these hashes back into plaintext passwords, compromising user accounts.
  • During routine network monitoring, a hacker discovers that an e-commerce website transmits password hashes insecurely between its servers and uses network sniffing tools to capture this data. Since they now have access to the password hashes, the hacker uses a rainbow table attack to decode customer passwords, gaining access to their shopping accounts and personal information.

Rainbow table attack data breaches

Rainbow table attacks have been used in the real world to steal millions of login details. 

For example, a 2012 LinkedIn hack(new window) by Russian cybercriminals resulted in the theft of nearly 6.5 million user account passwords, causing a significant data breach. Following the initial discovery, LinkedIn found an additional 100 million compromised email addresses and passwords in 2016 related to the same incident. The stolen passwords were poorly protected, lacking additional security measures like salting, making them easier for attackers to decrypt using standard rainbow tables

How to prevent rainbow table attacks

Choose platforms with strong hash functions

Secure hash functions like bcrypt(new window) or Argon2(new window) use salting(new window) to add random data to your password before creating its hash. Without the salt, the password’s hash won’t show up in a rainbow table, so an attack would fail.

To find out what hash functions a specific service or app uses to store passwords, check its privacy policy(new window), FAQ section, support page(new window), security certifications or audits(new window) (if any), technical documentation, or developer resources(new window). A simple internet search should work, or you can contact customer support(new window) and ask.

If you run your own websites or databases, keep your security settings updated by using plugins or modules that implement strong hashing algorithms.

Use complex passwords

Instead of using easy-to-guess passwords, opt for secure passwords(new window) made from at least 12 characters, which contain uppercase and lowercase letters, numbers, and symbols. Examples of strong passwords are ?GmmM1Z[c5:F or beht=ty]P:)Gf^c?p?+7. It’s unlikely for a cyberattacker to target such complex passwords using rainbow table attacks.

Turn on multi-factor authentication

Multi-factor authentication (MFA) like two-factor authentication (2FA)(new window) adds at least one more form of authentication to the password request, such as a code on your 2FA authenticator. If an attacker successfully discovers your password after a rainbow table attack, they won’t be able to pass the next steps of authentication.

Additionally, if you get an unexpected request for extra verification, it’s a clear sign that someone is trying to get into your account. You can quickly respond by changing your password.

Use alias email addresses

Alias email addresses(new window) can protect you from data breaches that could lead to rainbow table attacks since they are not connected to your primary email addresses. For example, you can keep using your main email for important messages and finances while reserving email aliases for less secure activities, such as signing up for untrusted services. If your alias email address is hacked, you can simply disable it.

Monitor the internet for data breaches

By staying informed about the latest breaches, you can determine if any of the services you use have been compromised and if your data has been leaked. This allows you to take proactive steps, such as changing your passwords immediately, to prevent hackers from using potentially exposed data to gain unauthorized access to your accounts. 

How Proton Pass can help

Proton Pass can protect you from rainbow table attacks by generating strong passwords(new window) and managing them in one place. It also supports a TOTP (time-based one-time password) authenticator for 2FA tokens(new window). Additionally, the app offers hide-my-email aliases(new window) to prevent your primary email address from being exposed online.

All Proton Pass subscribers can use Pass Monitor(new window) to monitor the health of all passwords and Dark Web Monitoring(new window) to track various sources for data breaches. Our security model(new window) uses the secure bcrypt hashing algorithm, which salts your passwords before hashing them to stop rainbow table attacks. Furthermore, we run an advanced security program called Proton Sentinel(new window) to detect and prevent account takeover attacks.

Start securing your accounts from rainbow table attacks by signing up for a free Proton Pass account today.

Related articles

laptop showing Bitcoin price climbing
en
  • Privacy guides
Learn what a Bitcoin wallet does and the strengths and weaknesses of custodial, self-custodial, hardware, and paper wallets.
pixel tracking: here's how to tell which emails track your activity
en
Discover what pixel tracking is and how it works, how to spot emails that track you, and how to block these hidden trackers.
A cover image for a blog describing the next six months of Proton Pass development which shows a laptop screen with a Gantt chart
en
  • Product updates
  • Proton Pass
Take a look at the upcoming features and improvements coming to Proton Pass over the next several months.
The Danish mermaid and the Dutch parliament building behind a politician and an unlocked phone
en
We searched the dark web for Danish, Dutch, and Luxembourgish politicians’ official email addresses. In Denmark, over 40% had been exposed.
Infostealers: What they are, how they work, and how to protect yourself
en
Discover insights about what infostealers are, where your stolen information goes, and ways to protect yourself.
Mockup of the Proton Pass app and text that reads "Pass Lifetime: Pay once, access forever"
en
Learn more about our exclusive Pass + SimpleLogin Lifetime offer. Pay once and enjoy premium password manager features for life.