This topic contains 1 reply, has 2 voices, and was last updated by EvadableMoxie 1 month ago.
- April 10, 2021 at 11:00 pm #382047
Docs and references are welcome
- April 10, 2021 at 11:00 pm #382048
An ELI5 version: Imagine you have a student who wants to be able to answer simple multiplication question by their teacher as quickly as possible. So they take a big piece of graphing paper and put 1 through 10 in the rows and 1 through 10 in the columns. Then in each box the write the result of the row multiplied by the column. It takes a lot of time but eventually the student calculates out every possibility and completes the chart.
Now the next day in class the teach asks “What’s 7 x 4?” and the student doesn’t actually have to do any math now. They just look at the box for 7 x 4 and immediately provide the answer. This way they can answer the teacher’s questions really, really fast. The downside is that they need to keep the table on them at all times.
This is kind of how rainbow tables work, although it would be more accurate to say the teacher says “28” and then the student looks at each box until he finds 28 and then answers “7 x 4”.
- April 10, 2021 at 11:00 pm #382049
it’s trading computation work for storage space
- April 10, 2021 at 11:00 pm #382050
The level of math in rainbow tables is sufficiently low enough that most people don’t consider it math.
- April 10, 2021 at 11:00 pm #382051
- April 10, 2021 at 11:00 pm #382052
Are rainbow tables even relevant today?
Sure, if you’re just encrypting the password, in the database, and the attack knows the password algorithm… So, I guess this is for an Internal attack?
But, the next step is to just save the Hash of the password, hashes are typically longer, if you are using SHA256+. And again the attacker needs to know the hash algorithm used.
And third, today, there’s a SALT value added to the password, so that there are no weak passwords, and you store the salt and the hash. Making rainbow attacks impossible, because of long hashes, and passwords that aren’t words, the salt is random.
Also, you need to be able to hit the front door of a site a huge number of times. And that’s not allowed today.
( I think. )
- April 10, 2021 at 11:00 pm #382053
It’s precomputed brute force algorithm enumerates every possibility a user might store their password as. A lot of computation is done up front for faster results later
You must be logged in to reply to this topic.