Rainbow tables allow an attacker to crack passwords far more quickly than is possible using other methods, such as brute force attacks. Some people have dismissed rainbow tables as being a legacy tool that is ineffective in today’s world. Even so, rainbow tables have evolved over time and remain a threat to password security.
Rainbow tables are a password cracking tool that greatly expedites the cracking process. Operating systems such as Windows do not store passwords in clear text. Instead, the operating system uses an algorithm to create mathematical hashes of passwords, and those hashes are what is actually stored.
The hashing process cannot be reversed to reveal the password. Therefore, when an attacker performs a brute force crack, they will typically use a program to calculate a hash for every possible password and then compare that hash against the hash that is stored in the password database. This is an extremely time-consuming process.
With rainbow tables, an attacker calculates hashes once and saves them to a lookup table (which has come to be known as a rainbow table). The next time the attacker needs to crack a password, he or she can compare the password hash against the values stored in the table. If a matching hash is found, the password will be revealed. Using this method can reduce the amount of time required to crack a password from weeks to minutes or hours.
Needless to say, building a rainbow table from scratch would be a big undertaking. However, rainbow tables are available for download from sources such as Ophcrack.
Attackers used rainbow tables early on to crack LAN Manager (LanMan or LM) passwords. These were the passwords used in Windows XP and earlier operating systems. These passwords were notoriously easy to crack, with a 14-character limit.
Microsoft eventually adopted a new password mechanism, NTLMv2, that was far more secure than LanMan. This system was initially immune to rainbow table cracking, but rainbow tables now exist for both LM and NTLM hashes.
Some people dismiss the threat of rainbow tables because they require access to a system’s password database (the Security Accounts Manager, or SAM). Downloading a copy of a machine’s SAM generally requires Windows to be offline. That means that if you want to make a copy of the SAM, you will need physical access to the machine and the ability to boot to a secondary operating system.
However, there is another, more practical, way to extract a machine’s password hashes, and it does not require physical access to the machine. It is possible to extract SAM data from the Windows registry. Once extracted, you can use a tool called Mimikatz to extract user names and password hashes from the registry file.
Defending Against Rainbow Table Cracks
So, if rainbow tables are not an outdated threat, what can you do to defend against their use today? There are three main countermeasures, although none is 100% effective by itself.
The first countermeasure is to encrypt the system’s hard disk using BitLocker. While it is true that you can extract password hashes from the Windows registry, accessing the SAM while Windows is offline tends to be a little bit easier. Encrypting the hard disk keeps an attacker (such as a rogue admin) from being able to access the disk’s contents outside of Windows.
The second countermeasure is to use password salting. Salting adds random values to password hashes. Because the rainbow table is based on computed hashes, salts will effectively prevent table values from matching the values stored in the system’s SAM. However, if the attacker somehow knows the salt values, then it may be possible to modify the cracking algorithm to account for the password salts.
A third countermeasure to rainbow table cracks is to force users to adopt long passphrases as an alternative to conventional passwords (or, better yet, use a non-password based form of authentication). Rainbow tables are only computed for passwords of up to a certain length.
Rainbow tables may not be the biggest threat to organizations today, but they are a threat and should be considered and accounted for as part of a comprehensive security strategy.