ProtonBlog

What is a rainbow table attack and how to prevent it?

Hackers use various methods to crack passwords, and one of them is the rainbow table attack. In certain cases, this method can be faster than dictionary attacks(new window) or credential stuffing(new window).

In this article, we explore how rainbow table attacks work and discuss ways to prevent them.

Rainbow table attack definition

A rainbow table attack is a cryptographic attack hackers use to break into systems by figuring out passwords from their hashes, which act as digital fingerprints. A hash function maps each password with a corresponding string of characters.

Unlike a brute-force attack(new window) that tries every possible password one by one, a rainbow table attack doesn’t require guesswork once the table is precomputed. This precomputed table (known as a rainbow table because of the way it looks if color-coded) is essentially a large database of hash value pairs linked to their plaintext counterparts.

How a rainbow table password attack works

1. Creating a list of passwords

When creating rainbow tables, hackers often target the most likely and commonly used passwords with simple patterns (for example, 123456, password, or qwerty), dictionary words, or password dumps obtained from data breaches.

2. Selecting the hash function and converting the passwords

Rainbow table attacks work well with simpler, faster cryptographic hash functions like MD-5, SHA-1, LM Hash, or NTLM Hash since they don’t use security features like salting (adding random data to each password before hashing) or key stretching (repeatedly hashing the password).

Password hashed with MD-5Plaintext password
482c811da5d5b4bc6d497ffa98491e38password123

Each plaintext password runs through the hash function to generate its corresponding hash, which has a unique, fixed-size string of characters as in the example above. Once all passwords are hashed, the hacker can use them to create the rainbow table.

3. Creating the rainbow table to reveal passwords

A rainbow table can be seen as a big Excel sheet, with hashed passwords in the first column and plaintext passwords in the second. If a breached hash is present in this table, that means the breached password is the cell next to it.

Rainbow table attack examples

Here are two hypothetical examples to illustrate how a rainbow table attack could play out:

  • A hacker identifies a social media site that uses an outdated hashing algorithm without any salting. By exploiting a SQL injection flaw, the attacker extracts the hash values of user passwords from the website’s database. Then they use a precomputed rainbow table to quickly convert thousands of these hashes back into plaintext passwords, compromising user accounts.
  • During routine network monitoring, a hacker discovers that an e-commerce website transmits password hashes insecurely between its servers and uses network sniffing tools to capture this data. Since they now have access to the password hashes, the hacker uses a rainbow table attack to decode customer passwords, gaining access to their shopping accounts and personal information.

Rainbow table attack data breaches

Rainbow table attacks have been used in the real world to steal millions of login details. 

For example, a 2012 LinkedIn hack(new window) by Russian cybercriminals resulted in the theft of nearly 6.5 million user account passwords, causing a significant data breach. Following the initial discovery, LinkedIn found an additional 100 million compromised email addresses and passwords in 2016 related to the same incident. The stolen passwords were poorly protected, lacking additional security measures like salting, making them easier for attackers to decrypt using standard rainbow tables

How to prevent rainbow table attacks

Choose platforms with strong hash functions

Secure hash functions like bcrypt(new window) or Argon2(new window) use salting(new window) to add random data to your password before creating its hash. Without the salt, the password’s hash won’t show up in a rainbow table, so an attack would fail.

To find out what hash functions a specific service or app uses to store passwords, check its privacy policy(new window), FAQ section, support page(new window), security certifications or audits(new window) (if any), technical documentation, or developer resources(new window). A simple internet search should work, or you can contact customer support(new window) and ask.

If you run your own websites or databases, keep your security settings updated by using plugins or modules that implement strong hashing algorithms.

Use complex passwords

Instead of using easy-to-guess passwords, opt for secure passwords(new window) made from at least 12 characters, which contain uppercase and lowercase letters, numbers, and symbols. Examples of strong passwords are ?GmmM1Z[c5:F or beht=ty]P:)Gf^c?p?+7. It’s unlikely for a cyberattacker to target such complex passwords using rainbow table attacks.

Turn on multi-factor authentication

Multi-factor authentication (MFA) like two-factor authentication (2FA)(new window) adds at least one more form of authentication to the password request, such as a code on your 2FA authenticator. If an attacker successfully discovers your password after a rainbow table attack, they won’t be able to pass the next steps of authentication.

Additionally, if you get an unexpected request for extra verification, it’s a clear sign that someone is trying to get into your account. You can quickly respond by changing your password.

Use alias email addresses

Alias email addresses(new window) can protect you from data breaches that could lead to rainbow table attacks since they are not connected to your primary email addresses. For example, you can keep using your main email for important messages and finances while reserving email aliases for less secure activities, such as signing up for untrusted services. If your alias email address is hacked, you can simply disable it.

Monitor the internet for data breaches

By staying informed about the latest breaches, you can determine if any of the services you use have been compromised and if your data has been leaked. This allows you to take proactive steps, such as changing your passwords immediately, to prevent hackers from using potentially exposed data to gain unauthorized access to your accounts. 

How Proton Pass can help

Proton Pass can protect you from rainbow table attacks by generating strong passwords(new window) and managing them in one place. It also supports a TOTP (time-based one-time password) authenticator for 2FA tokens(new window). Additionally, the app offers hide-my-email aliases(new window) to prevent your primary email address from being exposed online.

All Proton Pass subscribers can use Pass Monitor(new window) to monitor the health of all passwords and Dark Web Monitoring(new window) to track various sources for data breaches. Our security model(new window) uses the secure bcrypt hashing algorithm, which salts your passwords before hashing them to stop rainbow table attacks. Furthermore, we run an advanced security program called Proton Sentinel(new window) to detect and prevent account takeover attacks.

Start securing your accounts from rainbow table attacks by signing up for a free Proton Pass account today.

Protect your privacy with Proton
Create a free account

Related articles

From the very beginning, Proton has always been a different type of organization. This was probably evident from the way in which we got started via a public crowdfunding campaign that saw 10,000 people donate over $500,000 to launch development. As
Your online data is valuable. While it might feel like you’re browsing the web for free, you’re actually paying marketing companies with your personal information. Often, even when you pay for services, these companies still collect and profit from y
Password spraying attacks pose a major risk to individuals and organizations as a method to breach network security by trying commonly used passwords across numerous accounts. This article explores password spraying attacks, explaining their methods
A secure password is your first defense against unauthorized access to your personal information. While there are tools that generate strong passwords, remembering these complex combinations can become a challenge. Even if you use mnemonic devices,
Choosing the best email hosting provider for your small business is crucial for maintaining security, control, and compliance with data protection laws.  For one, many popular providers, such as Gmail and Outlook, don’t apply end-to-end encryption b
Today, we’re excited to announce new enhancements to Proton Drive’s sharing functionality, giving you greater control over who you share with and how you share your files and folders. This feature builds on how sharing currently works in Drive by le