Skip main navigation

£199.99 £139.99 for one year of Unlimited learning. Offer ends on 28 February 2023 at 23:59 (UTC). T&Cs apply

Find out more

Protect Your Passwords Against Rainbow Table Attacks

In this video, Zanidd will explore what techniques can be used to prevent rainbow table attacks. Watch him explain salt and pepper methods.
Hello, world, I’m Zanidd, and welcome to the Hands-on Cracking and Security course on CodeRed. In this section, we will cover the remedies for the attacks demonstrated in the course. We will also take a look at different password managers, and how they can or cannot solve our problems with passwords. This lesson focuses on prevention methods for rainbow table attacks that can be used to protect your passwords, or the passwords of your application. The remedies mentioned in the last lesson can also be used to prevent rainbow table attacks, so if you need more methods, make sure to check out the last lesson first.
The only real method to stop rainbow table attacks is to “season” your password with either salts, or peppers, or both. A salt is basically a string of random data that is added to the plaintext before it’s hashed. It is often stored along the password in a database and is unique and random for each password. Peppers are similar to salts. A pepper is a random data that is added to the input before being hashed. But the difference here is that peppers are never stored together with the passwords. They’re usually stored in the configuration of the application or another secure location.
They need to be at least 112 bits, otherwise an attacker only needs to know one plaintext password to crack the pepper, which could be its own password. Usually, the pepper is application-wide and not unique for every password. Why can we prevent rainbow tables with the two methods? With salt and pepper, we can massively increase the security of our application. If the attacker has no access to the pepper, it will never find the right password. The same is valid for salts. Plus, salts can result in bigger rainbow tables, or rainbow tables that will need to compute more. Generally speaking, salt and pepper can increase the security for passwords, even if common and weak passwords are used.
So it is definitely something to implement either way, as it can also protect you against brute force and dictionary attacks. Sounds great - how can we do that? For the software engineers among us, use a library that helps to implement salting and peppering of hashes without having to create a lot of additional code. Or don’t implement the authentication at all and, instead, use something like Keycloak, where you can configure the authentication mechanisms and even select to use salts. If you have no access to source code, and are stuck with an application, try to find the configuration to either use salts and peppers. Or if possible, set an identity provider for the application that will support salt and pepper.
Some systems and software even already use salts or peppers, like the Unix system credentials used in Unix-like systems. So, no worries there. With our now-spicy passwords, we can have pretty safe passwords, even if they’re weak. But what about the actual typing of the password? The topic for the next lesson will be to prevent keyloggers from reading your keystrokes.

This video will explore what techniques can be used to prevent rainbow table attacks.

You can also refer to the previous video for more techniques to prevent these attacks. The most effective techniques are called salt and pepper methods and are explained here. You can use a library to implement these methods or check the configuration of the software if possible.

Reflect and share: How does the salt and pepper methods increase password security? Share your answer in the Comments section below.

This article is from the free online

Advanced Cyber Security Training: Hands-On Password Attacks

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education