A website is breached, exposing the usernames and MD5 password hashes of its entire user
base. Many of these passwords are later cracked using rainbow tables. Which of the following
actions could have helped prevent the use of rainbow tables on the password hashes?
A.
use salting when computing MD5 hashes of the user passwords
B.
Use SHA as a hashing algorithm instead of MD%
C.
Require SSL for all user logins to secure the password hashes in transit
D.
Prevent users from using a dictionary word in their password
Explanation:
How does this prevent a rainbow table attack?
1
0
I believe the answer should be A, when salting is added to the computation it makes it much more difficult to use a Rainbow table.
But if the password file is salted, then the rainbow table would have to contain “salt . password” pre-hashed. If the salt is sufficiently random, this is very unlikely. I’ll probably have things like “hello” and “foobar” and “qwerty” in my list of commonly-used, pre-hashed passwords (the rainbow table), but I’m not going to have things like “jX95psDZhello” or “LPgB0sdgxfoobar” or “dZVUABJtqwerty” pre-computed. That would make the rainbow table prohibitively large.
So, the salt reduces the attacker back to one-computation-per-row-per-attempt, which, when coupled with a sufficiently long, sufficiently random password, is (generally speaking) uncrackable.
1
0
Salting can be used to strengthen the hashing when the passwords were encrypted. Though hashing is a one-way algorithm it does not mean that it cannot be hacked. One method to hack a hash is though rainbow tables and salt is the counter measure to rainbow tables. With salt a password that you typed in and that has been encrypted with a hash will yield a letter combination other than what you actually types in when it is rainbow table attacked.
The correct answer is A
1
0
I chose A
1
0
Although MD5 and SHA-1 have vulnerabilities, some government agencies started
using SHA-2 in 2011 (and most likely will use SHA-3 at some point).
But salting and rainbow tables. Sounds too good of an answer to miss
1
0
The correct answer is A- A. use salting when computing MD5 hashes of the user passwords
A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes. Tables are usually used in recovering a password (or credit card numbers, etc.) up to a certain length consisting of a limited set of characters.
Here are some developer tips on defending against Rainbow Table attacks:
1. Don’t use MD5 or SHA1 in your password hashing function. MD5 and SHA1 are outdated password hashing algorithms and most rainbow tables used to crack passwords are built to target applications and systems using these hashing methods. Consider using more modern hashing methods like SHA2.
2. Use a cryptographic “Salt” in your password hashing routine. Adding a cryptographic Salt to your password hashing function will help defend against the use of Rainbow Tables used to crack passwords in your application. To see some coding examples of how to use a cryptographic salt to help “Rainbow-Proof” your application please check out the WebMasters By Design site which has a great article on the topic.
WROMG ANSWERS:
B. Use SHA as a hashing algorithm instead of MD% – This would only make matters worse.SHA1 is to be avoided.
C. Require SSL for all user logins to secure the password hashes in transit. SSL is more than likely already in use and it has not stopped/would not stop the issue in the first place.
D. Prevent users from using a dictionary word in their password – That would mean not using any words found in a dictionary. It would be rather difficult to implement!
1
0