MD5, ‘rainbow tables’ and security

Published September 12th, 2007

There’s been a bit of a brouhaha recently about the availability of so-called ‘rainbow tables’ — effectively, lookup tables for hashed passwords — that mean that anyone with the time to download the data can reverse-engineer a password from its hash.

If you’re involved in storing user data then you might well benefit from reading this article, which gives an easy-to-follow breakdown of the issues and some useful advice on how to beef up the security of your password storage.

Get a Trackback link

3 Comments

  1. Eli on September 26, 2007

    This is pretty nifty stuff. Salting a hash is a great way to secure passwords against an attacker who doesn’t have access to your database :)

  2. Stickman on September 26, 2007

    From what I understand, salting the password is useful even if the database is compromised.

    For example, even if you use the same hash for all your passwords, and the attacker knows the salt, then they still need to generate a rainbow table specifically for that salt plus every possible password combination — i.e. a standard rainbow table won’t be valid.

    If you use a random salt for every row in the database, and the attacker has access to that salt value for each row, they will have to generate an entire rainbow table for each password, which would be an astronomical amount of work.

  3. Technology Made Simple on March 1, 2008

    Rainbow tables work great, unless the suggestion mentioned in the provided link is implemented, but how many developers think like that? I know for a fact WordPress doesn’t use this type of security, and it’s one of the most popular blogging platforms on the ‘net.

    Thanks for sharing the link, but until the method becomes common practice, I’ll continue building rainbow tables. It’s fun.

    -Guy P.
    http://www.nullamatix.com

Leave a comment

Comment Policy: First time comments are moderated. Please be patient.

OpenID

Anonymous