Ankit Kashyap

Backend

Behavioral

Cloud

DDIA

Design Patterns

Design and UX

DotNet

Frontend

Fun Topics

Low level design

Product

Story

System Design

Rainbow tables and password hashing

What happens when I encrypt passwords without salt?

What Happens When You Encrypt Passwords Without Salt?

Encrypting passwords without a salt introduces serious security risks, making passwords easier to crack. Here’s what happens when you don’t use a salt:

1. Identical Passwords Have Identical Hashes

  • Without a salt, the same password always produces the same hash.
  • If two users choose the same password (e.g., "password123"), they will have identical stored hashes.
  • This allows attackers to detect users with the same password and target them first.

Example:

password123 → 5f4dcc3b5aa765d61d8327deb882cf99
password123 → 5f4dcc3b5aa765d61d8327deb882cf99  (Same hash for another user)

🚨 Risk: Attackers who steal a database can easily group users by identical hashes and attack them first.

2. Makes Rainbow Table Attacks Easier

  • Rainbow tables are precomputed tables of password hashes that attackers use to quickly reverse hashes into their original passwords.
  • If you don’t use a salt, attackers can directly look up your hash in a rainbow table to find the corresponding password.

🚨 Risk: If a hacker has access to a precomputed hash list, they can instantly crack all unsalted passwords.

3. Easier to Perform Brute-Force Attacks

  • Without a salt, brute-force attacks become much more efficient.
  • Attackers can precompute hashes for common passwords and quickly match them against your database.

🚨 Risk: A dictionary attack using a list of common passwords (e.g., "password123", "123456", "qwerty") can rapidly crack weak passwords.

4. No Protection Against Hash Collision Attacks

  • Hash collisions occur when two different passwords produce the same hash (rare but possible with weak hashing algorithms).
  • Salting ensures that even if a collision occurs, it won’t be useful to an attacker.

🚨 Risk: Attackers can exploit hash collisions to gain unauthorized access.

How to Properly Store Passwords

Use a Unique Salt for Each Password

  • A salt is a random string added to the password before hashing.
  • This ensures that identical passwords result in different hashes.

Example:

password123 + random_salt1 → Hash A
password123 + random_salt2 → Hash B  (Different even for same password)

This defeats rainbow tables and makes brute-force attacks much harder.

Use a Strong Hashing Algorithm

  • Always use slow, computationally expensive password hashing functions:
    • Argon2 (Best, modern choice)
    • bcrypt
    • PBKDF2

Example Using bcrypt in Node.js:

const bcrypt = require("bcrypt")
const saltRounds = 10
 
bcrypt.hash("password123", saltRounds, (err, hash) => {
  console.log("Hashed Password:", hash)
})

Use Peppering (Extra Secret Key)

  • A pepper is a secret key stored separately from the database and added before hashing.
  • Even if a hacker steals your database, they cannot crack passwords without the pepper.

Final Thoughts

🔴 Encrypting passwords without a salt is insecure because:

  • Identical passwords have the same hash (making user accounts predictable).
  • Vulnerable to rainbow table and brute-force attacks.
  • Faster and easier to crack compared to salted hashes.

Always use unique salts, strong hashing algorithms, and proper security measures to protect passwords. 🚀

What is rainbow table?

What is a Rainbow Table?

A rainbow table is a precomputed table of password hashes used by attackers to quickly crack hashed passwords. Instead of brute-forcing each password one by one, attackers use rainbow tables to instantly match a hash to its original password.

How Does a Rainbow Table Work?

  1. Precompute Hashes:

    • Attackers generate hashes for common passwords using a specific hashing algorithm (e.g., MD5, SHA-1).
    • Example: 
      password123 → 5f4dcc3b5aa765d61d8327deb882cf99
qwerty → d8578edf8458ce06fbc5bb76a58c5ca4

  2. Store the Hashes in a Table:

    • These hash-password pairs are stored in a large table (rainbow table).

  3. Match Hashes to Crack Passwords:

    • When an attacker steals a database of hashed passwords, they simply look up each hash in the rainbow table.
    • If a match is found, the original password is revealed instantly.

Example of a Rainbow Table

Plaintext PasswordMD5 Hash
password1235f4dcc3b5aa765d61d8327deb882cf99
qwertyd8578edf8458ce06fbc5bb76a58c5ca4
letmein0d107d09f5bbe40cade3de5c71e9e9b7

Why Are Rainbow Tables Dangerous?

🚀 Faster Than Brute Force

  • Instead of computing hashes in real-time, attackers instantly find matches from precomputed tables.

⚠️ Works on Weak Hashing Algorithms

  • Older, fast hashing algorithms like MD5, SHA-1, and even SHA-256 are vulnerable to rainbow tables.

🔴 No Need to Crack Each Password Individually

  • If a hash exists in the table, the password is immediately cracked.

How to Defend Against Rainbow Table Attacks

Use Salting

  • A salt is a unique random value added to each password before hashing.
  • Example: 
    password123 + random_salt → Unique Hash
  • Since each password gets a unique hash, rainbow tables become useless.

Use Strong, Slow Hashing Algorithms

  • Algorithms like bcrypt, PBKDF2, and Argon2 are designed to be slow and resistant to precomputed attacks.

Use Long, Complex Passwords

  • Longer and more random passwords increase the difficulty of creating effective rainbow tables.

Implement Multi-Factor Authentication (MFA)

  • Even if an attacker cracks a password, MFA can prevent unauthorized access.

Final Thoughts

  • Rainbow tables are a major threat to weak password hashing systems.
  • Salting passwords completely nullifies rainbow table attacks.
  • Always use modern hashing techniques like bcrypt, Argon2, or PBKDF2 for strong security.

By implementing salting, slow hashing, and MFA, you can effectively protect passwords from rainbow table attacks. 🚀