Rainbow tables and salting
Last Post: July 3, 2018:
-
Not sure this is the right forum for this but since there a lot of smart people here I though I'd give it a whirl.
While researching salting, I saw lots of stories claiming that password salting thwarted the use of rainbow tables. I had to scratch my head because it didn't make sense to me. Let's make sure my definitions are correct because that might be where I'm getting confused.
Rainbow tables are the precomputed hashes of every combination of characters used in a certain length password for a specific hashing algorithm. For instance, an MD5 lower alpha-numeric (abcdefghijklmnopqrstuvwxyz0123456789) rainbow table for 10-character long passwords would contain all the hashes for a through 9999999999.
A salt is a random string of characters added to the password before it is hashed.
Let's say our salt is four characters. A user picks a 5-character password of 12345. Now the random salt of t4j1 is added to the password and the result is t4j112345. This is sent through MD5 to get a result of a79dcf3a5d3ea5e34cc84c9103403267.
Since the password, t4j112345, is only 9 characters long and only contains lower alpha-numeric characters this hash would be found in the rainbow table.
So I guess to thwart the use of rainbow tables you need to be sure that:
1. salt length + password length > longest password in the rainbow table
2. salt and/or password contain characters not used in the rainbow table -
So your question is does password "salting" disrupt the use of "rainbow" tables. Is that correct?
-
Jules,
Yes, I guess that's my question.
Sorry now that I look at my post I see there's not much of a question in there. I suppose I was just posting to help me think it through. Sometimes writing down what I'm thinking can help me understand it better and/or point out flaws in my thought process.
Based on what I read/learned I had inferred that salting made rainbow tables useless but that's not necessarily the case. Am I wrong?
- 1