Rainbow Tables and Your Passwords
We’re always harping on passwords and why you should use complex strong passwords. Let me say this right off the bat – we’re not experts on password cracking – we can barely crack an egg let alone a password.
But I came across a graphic on the Web while checking out a site and it mentioned “Rainbow Tables”. It sounds pretty, but it’s not. Rainbow Tables are used to crack password. The graphic I found showed how quickly simple passwords can be cracked.
Before we show you that graphic, here’s description of Rainbow Tables from Wikipedia – it’s about the simplest one we could find – but, sorry, not as simple as you and we would like…here goes:
…Any computer system that requires password authentication must contain a database of passwords, either hashed or in plaintext, and various methods of password storage exist. Because the tables are vulnerable to theft, storing the plaintext password is dangerous. Most databases therefore store a cryptographic hash of a user’s password in the database. In such a system, no one—including the authentication system—can determine what a user’s password is simply by looking at the value stored in the database. Instead, when a user enters his or her password for authentication, it is hashed and that output is compared to the stored entry for that user (which was hashed before being stored). If the two hashes match, access is granted.
Someone who gains access to the (hashed) password table cannot merely enter the user’s (hashed) database entry to gain access (using the hash as a password would fail since the authentication system would hash that a second time, producing a result that does not match the stored value, which was hashed only once). In order to learn a user’s password, a password that produces the same hashed value must be found.
Rainbow tables are one tool that has been developed in an effort to derive a password by looking only at a hashed value…
OK now here’s the graphic that caught my eye. This was done six years ago and Rainbow Tables and other password cracking tools have only gotten better.
Well, here look:
Look at the hashed password in column 2. Look at the clear text password that was derived from the hashed password in column 4. Now look at how long it took to crack the password. The password “hello” was cracked in 6 seconds. Look at some of the others. Not one of these passwords took very long to crack.
Your passwords should be at least 12 characters long – preferably longer. The longer your password and the stronger it is, the less the chances that your password will be cracked. A strong password contains capital letters, lowercase letters, numbers and symbols and should be 12 characters long. This 14 character password generated by LastPass would take a long time (trillions of years) to crack:
9QmW@2Ge#9$2z7
Please be careful and use a password manager. There are several good free ones. The one I use is LastPass (free version). You can get it from www.lastpass.com . I use it to generate strong passwords. If you’re using the same password for everything, you’re taking a huge chance.
Hackers are not going to come to your computer and steal your password. They’re going to go after big companies like Target, LinkIn, MySpace, and many other companies and web sites who have had user data stolen.
We’re always harping on passwords. We know. But it’s your best defense against having your money, identity and security stolen from you.
You don’t need to understand Rainbow Tables to understand how vulnerable short, weak passwords are.
Be smart. Be Safe. Use a password manager. Use strong passwords. Use a different password for every site.
Keep up the good work with strong reminders TC & EB.
On a personal note I have solved problems with family/friends/neighbors computers, I have repeated many times your advice (go to Cloudeight) and mine as demonstrated with password managers and showed ‘how to’ with
R0*(=)Bq@4k (example) generated by keyboard.
Many people remain as stubborn as kyuss1979 (in memorium of a dog which died?)
Lead a horse to water, etc; etc:
Thanks for all of the information you guys give. I learned a few years ago about a password that is almost impossible to crack. It would go something like this = Several random letters followed by 5 or more Periods followed by numbers. I have run this thru WolframAlpha password checker and found it to be a very strong password. It estimates it would take 11.5 million years to crack.
I have not tried it myself but it sounds good… character map a Chinese symbol to a key for password use.
Some institutions like my bank won’t accept anything but letters and numbers.