A large enterprise's internal user database was recently hacked and leaked onto the internet. While working for a security consultancy you have found evidence that several user's accounts were accessed using their password. You believe the hackers are using an existing set of common passwords to determine which users hashed passwords match. What type of attach was used to determine the user's hashed passwords?
Correct Incorrect Unanswered Report Issue Answer Description
When passwords are stored in hash format they cannot be reversed into their original form. However if hackers have a large amount of hashed passwords they can take a list of common passwords and their hashed equivalent's, and determine the user's password by comparing the hashed values. One easy way to prevent this is by "salting" password values. For example if a user's password is Password1 before hashing it you could add random letters to make it Password1-I#\((#\)(&#$. The user does not know you have added these details so it would be added whenever they type in their password. This changes the hashed value and can prevent Rainbow Tables from being effective.
Wikipedia
A rainbow table is a precomputed table for caching the outputs of a cryptographic hash function, usually for cracking password hashes. Passwords are typically stored not in plain text form, but as hash values. If such a database of hashed passwords falls into the hands of an attacker, they can use a precomputed rainbow table to recover the plaintext passwords. A common defense against this attack is to compute the hashes using a key derivation function that adds a "salt" to each password before hashing it, with different passwords receiving different salts, which are stored in plain text along with the hash.
Rainbow tables are a practical example of a space–time tradeoff: they use less computer processing time and more storage than a brute-force attack which calculates a hash on every attempt, but more processing time and less storage than a simple table that stores the hash of every possible password.
Rainbow tables were invented by Philippe Oechslin as an application of an earlier, simpler algorithm by Martin Hellman.
Rainbow_table - Wikipedia, the free encyclopedia Subscribe to avoid duplicate questions and track your progress over time