Skip to main content

Rainbow Table Attacks - Cracking Hashed Passwords

About 2 min read

A rainbow table is a precomputed table used to reverse-look-up the original password from a hash value. By creating a correspondence table between a large number of passwords and their hash values in advance, the original password can be quickly identified by matching it against a leaked hash value. It is an efficient attack method that exploits a time-space trade-off, and as of 2025 it remains a viable threat against systems that use fast hashes such as MD5 or SHA-1.

Real-World Use Cases

"When we investigated the password hashes of a leaked database, we found that unsalted MD5 hashes were used, and a rainbow table recovered about 70% of the passwords within minutes. Migrating to bcrypt is an urgent priority."

How Rainbow Tables Work

Plaintext password
Hash function
Reduction function
Repeat the chain
Store only start and end points

How Rainbow Tables Work and Numerical Examples

A rainbow table stores chains created by alternately applying a reduction function and a hash function. An MD5 rainbow table for an 8-character password of lowercase letters and digits (about 2.8 trillion combinations) can be built at around 460 GB, and cracking completes within minutes. On the other hand, for a 12-character password of upper- and lowercase letters, digits, and symbols, the table size balloons to hundreds of petabytes, making it virtually impossible to build. In other words, simply increasing the length and character variety of a password dramatically reduces the effectiveness of a rainbow table attack.password cracking books on Amazon offer in-depth technical details.

Countermeasures Against Rainbow Tables

The most effective countermeasure is to add a salt (random data) to the password before hashing it. When a salt is added, even identical passwords generate different hash values for each user, which renders precomputed tables useless. In modern password storage, hash algorithms such as bcrypt and Argon2, which automatically add a salt and allow the computational cost to be adjusted, are the standard. Service developers must not use fast hashes such as MD5 or SHA-1 for storing passwords.

User-Side Defenses

A random password of 16 or more characters has an astronomically low probability of being included in a rainbow table, giving it high resistance to this attack. Increasing the entropy of a password is the best defense against any offline attack.password protection books (Amazon) are also a helpful reference.

Related Terms

Was this article helpful?

XHatena