Quote:
Originally Posted by ratinox
But a thing called rainbow tables exists.
|
It's very standard practice to protect against rainbow table attacks by salting the password hashes. The attacker would then need a complete rainbow table for each possible salt value. For a long enough salt, that becomes impractical.
Quote:
A rainbow table is a table of precomputed hashes of common passwords, dictionary words, and combinations.
|
There's much more to it than that. It's certainly not restricted to common passwords etc. - the table will yield the hashes of any password generated by the reduction function from any of the other hashes in each chain (and it doesn't actually store any hashes, just the first and last password in each chain).
Quote:
If an attacker can get a dump of the account database, they can apply a rainbow table to find matches and recover cleartext passwords in seconds.
|
Not if it's adequately salted.