What is a Rainbow Table?
Passwords on a computer system are not stored directly as plain text but are encrypted using encryption. A hash function is a one-way function, which means it cannot be decrypted. Every time a user enters a password, it is converted to a hash value and compared to the already stored hash value. If the values ​​match, the user authenticates.

A rainbow table is a database that is used to obtain authentication by decrypting the password hash. It is a pre-calculated dictionary of plain text passwords and their corresponding hashes that can be used to find out which plain text password produces a particular hash. Since more than one text can produce the same hash, it is not important to know what the original password really was, as long as it produces the same hash.
How does the Rainbow Table Attack work?
A rainbow table works by doing cryptanalysis very quickly and effectively. Unlike the brute force attack, it works by calculating the hash function of each string present with them, calculating their hash value, and then comparing it to that of the computer, at each step. A rainbow table attack eliminates this need by calculating the hashes of the large set of available strings. There are two main steps in this:

Create a table
Here, the hash of a string is taken and then reduced to create a new chain, which is reduced again, repeatedly. For example, let's create a table of the most common password, 12345678, using the MD5 hash function in the first 8 characters:

  1. First, we take the string and pass it through the md5 hash function.
    hashMD5(12345678) = 25d55ad283aa400af464c76d713c07ad
  2. We reduce the hash by taking only the first 8 characters. Then, we re-hash it.
    hashMD5(25d55ad2) = 5c41c6b3958e798662d8853ece970f70
  3. This is repeated until enough hashes in the output chain. This represents one chain, which starts from the first plain text and ends at the last hash.
  4. After obtaining enough chains, we store them in a table.
Cracking the Password
Starting with the hash text (the password) it is verified if it exists in the database. If so, go to the beginning of the chain and start chopping until there is a match. As soon as the match is obtained, the process ceases and the authentication breaks. The following flowchart explains the steps:

Advantages:
  1. Unlike brute force, hashing is not the problem here (since everything is pre-calculated). With all the values ​​already calculated, it is simplified to a simple search and compare operation in the table.
  2. You don't need to know the exact password string. If the hash matches, it doesn't matter if the string is not the password itself. It will be authenticated.

Disadvantages:
  1. A large amount of storage is required for store tables.
  2. With all the values ​​already calculated, it is simplified to a simple search and compare operation in the table.
Also read:

How to choose a strong password and safe from hackers clear guide

An article by Munna Suprathik