A rainbow table is a complete list of all possible passwords up to a given length, with their corresponding hash for a given hashing algorithm.
When implemented properly, passwords are never stored directly by software. Instead, a mathematical hash is stored instead. For example, instead of storing the password “iforgot”, software might store a value calculated from that password, such as “62072d95acb588c7ee9d6fa0c6c85155”. When someone logs in using the password, the hash is calculated again, and if it matches the saved hash, then the password must have been entered correctly.
This approach safeguards passwords because the password cannot be recovered from the hash. Even if the hash were exposed, as is often the case in large scale data breaches, it would be of little value to a hacker, because they would be unable to determine the corresponding password.
A rainbow table takes a brute force approach to this problem. For a given maximum password length, the hash values for all possible passwords are calculated and stored in a table. If a hash is known, it can simply be looked up in the table to determine the corresponding password, with no further calculation required.
Rainbow tables have severe limitations that make them less useful than we might fear.
Current best practice in password storage is to use all three: long passwords, a “slow” hashing algorithm, and a modified hash.« Back to Glossary Index