let’s just assume a simple non salted hash function, just a plain old $hash = md5($pass).
Premises:
- the password hashing all takes place server side, and the hashes are stored in the database. The client has no way to see these.
- a rainbow table attack must have knowledge of the hashes in order to retrieve passwords.
Given premise 2., that would mean that the hacker already has control of the database, in which point you have a much bigger problem on your hand.
So, is the point of trying to foil a rainbow table attack simply to protect the retrieval of passwords from an already compromised database/system. Is it that simple or is there something else that I am missing.
I’m already familiar with password hashing techniques, but am just wondering why there is so much hype about rainbow tables. Thanks!
Yes.
Many people use the same password for everything. Compromising the original password (as opposed to simply changing it to something you know) can often give an attacker access to someone’s accounts on other services.
Rainbow tables are also much less computationally intensive (simple lookup) than a dictionary attack (which requires hashing) or brute force (which requires a lot more hashing).
Use strong, unique passwords!