Since 2013, World Password Day has been celebrated on the first Thursday of May and aims to foster better password habits. This event reminds us that passwords are the main guardians of our digital identities and that we must implement complex passwords such as passphrases capable of protecting us. In 2022 alone, 721.5 million exposed credentials were leaked online.
As a result of these leaks, account takeover attacks (ATOs) are on the rise. Cybercriminals use a range of methods to steal passwords from their targets and even encrypted credentials can be vulnerable to certain types of attacks. But we are going to focus on one specific threat: the rainbow table attack.
What is a rainbow table attack?
This form of cyberattack is used by hackers to crack password hashes by using a table of common passwords, with their corresponding hashes, which allows malicious actors to reverse engineer the original password. When creating a new online account, password databases typically "hash" or irreversibly encrypt passwords so that they cannot be used if cybercriminals get hold of that database. Rainbow table attacks rely on precomputed tables containing these hashes, with which hackers can revert an encrypted password to plain text form more efficiently than using brute-force methods or simple search tables.
While rainbow tables provide security administrators with a method to check password security standards, they also provide cybercriminals with a way to crack passwords quickly to gain unauthorized access to computer systems.
When carrying out this form of attack, hackers first create a "chain" of hash values that allows them to generate a rainbow table. This process starts with a known value and applies the hash function, thus obtaining its corresponding value. Once the list has been drawn up, hackers compare the table’s hash values with the hash values of a database to find matches. If the values match the user is authenticated, enabling cybercriminals to log into the system or access the user's confidential information.
In recent research, a group of analysts conducted a study where they entered more than 15.6 million passwords into an AI-based password-cracking program called PassGAN and concluded that it is possible to crack 51% of common passwords in one minute. However, the AI software failed to crack longer passwords. Cracking an 18-character long password containing only numbers would take at least 10 months, and a password of the same length containing numbers, upper and lower case letters and special characters would take six quintillion years to crack. These AI programs use techniques similar to rainbow table attacks and older hash algorithms, such as MD5 and SHA-1, are more vulnerable to these forms of attack.
4 tips for a complex password / passphrase
As we have seen, choosing a complex password is just as important today as it has been in the past. We’re reminding you of 4 basic tips on how to create a secure password:
Take length into account: length is really important when creating a password that is really secure. Each additional character symbol and symbol in a password exponentially increases the number of possible combinations. Ideally a password should be at least 12 characters long.
Create a unique password: avoid using something generic like “qwerty”, “password” or “12345”. These passwords are among the most used passwords in the world and, therefore, among the least useful. Similarly, it is advisable to create different passwords for each account, since reusing a password, even if it is secure, makes it no longer secure.
Do not use personal information: by using personal information such as a nickname, date of birth or pet name for a password, makes it easier for cybercriminals to crack it by simply glancing at social media or even by overhearing a conversation with another person.
Combine letters, numbers and special characters: combining different types of characters in the same password significantly increases the number of possible combinations.
MFA: the extra protection that passwords need
Using a complex password can be the key to avoid being a victim of a rainbow table attack, since these passwords won’t appear in a rainbow attack table and hackers, or the AI they use, will not be able to crack them easily through this method.
However, to ensure identities are protected, it is always advisable to accompany a password with multi-factor authentication to verify the access request is by the legitimate user.
Passwords can be guessed, stolen or intercepted, and attackers can use a variety of techniques to circumvent them. Requiring multiple factors of authentication, using an MFA solution such as WatchGuard's AuthPoint, makes it much more difficult for attackers to gain unauthorized access.