| Example of the Rainbow table | |
|---|---|
| plain text | SHA-1 checksum |
| 12345 | 8cb2237d0679ca88db6464eac60da96345513964 |
| password1 | e38ad214943daad1d64c102faec29de4afe9da3d |
| I love my dog | a25fb3505406c9ac761c8428692fbf5d5ddf1316 |
| Jenny400 | 7d5eb0173008fe55275d12e9629eef8bdb408c1f |
| Dallas1984 | c1ebe6d80f4c7c087ad29d2c0dc3e059fc919da2 |
A hacker needs to know which cryptographic hash algorithm was used to generate the checksums in order to determine the values.
For added protection, some websites that store user passwords perform additional functions on the cryptographic hash algorithm after the value is generated but before it is stored. This process creates a new value that only the web server understands and that doesn’t match the original checksum.
For example, after entering a password and generating the checksum, it may be broken into parts and reorganized before being stored in the password database, or certain characters may be swapped for others. On the next user authentication attempt, the web server reverses this additional function and the initial checksum is regenerated to verify that the user’s password is valid.
These measures limit the usefulness of a hack that steals all control amounts. The idea is to reach an unknown function. So if the hacker knows the cryptographic hash algorithm but not the custom one, then knowing the password checksums isn’t useful.
Passwords and cryptographic hash functions
A database stores user passwords much like a rainbow table. When you enter your password, the checksum is generated and compared with that stored with your user name. You can then access it if the two are equal.
Because a cryptographic hash function produces a non-reversible checksum, it’s safe for you to make your password as simple as possible 12345Instead of 12@34$5simply because the checksums themselves cannot be understood? No, and here’s why.
These two passwords cannot be cracked simply by looking at the checksums:
MD5 for 12345: 827ccb0eea8a706c4c34a16891f84e7b
MD5 for 12@34$5: a4d3cc004f487b18b2ccd4853053818b
At first glance, you might think it’s okay to use one of these passwords. This is true when an attacker tries to find your password by guessing the MD5 checksum, which nobody does, but it’s not true when using a brute force or dictionary attack, which are common tactics.
A brute force attack occurs when multiple random tricks are given to guess a password. In this case it would be easy to guess 12345but it is quite difficult to determine the other at random. A dictionary attack is similar in that the attacker can try any word, number, or phrase from a list of common (and not-so-common) passwords, and 12345 is one of those common passwords.
Although cryptographic hash functions produce hard-to-guess checksums, you should still use a complex password for all your online and local user accounts.
Learn more about cryptographic hash functions
You might think that cryptographic hash functions are related to encryption, but the two work in different ways.
Encryption is a two-way process where something is encrypted to become unreadable and later decrypted to be used normally again. You can encrypt the files you store so anyone who accesses them can’t use them, or you can use file transfer encryption to encrypt files in transit over a network, e.g. B. those that you download or upload online.
Cryptographic hash functions work differently because the checksums are not intended to be inverted by a special hashed password. The sole purpose of cryptographic hash functions is to compare two pieces of data, e.g. B. when downloading files, storing passwords and retrieving data from a database.
It is possible for a cryptographic hash function to produce the same checksum for different data. When this happens, it’s called a collision, which is a big problem because the purpose of a cryptographic hash function is to create unique checksums for all the data put into it.
Collisions can occur because any cryptographic hash function produces a fixed-length value regardless of the input data. For example, the MD5 cryptographic hash function generates 827ccb0eea8a706c4c34a16891f84e7b, 1f633b2909b9c1addf32302c7a497983, and e10adc3949ba59abbe56e057f20f883e for three completely different blocks of data.
The first checksum is 12345. The second was generated from over 700 letters and numbers, the third from 123456. The three inputs are of different lengths, but the results are still only 32 characters long since the MD5 checksum was used.
There is no limit to the number of checksums that could be created, since any small change to the input is expected to produce a completely different checksum. Since there is a limit to the number of checksums that a cryptographic hash function can generate, there is always a chance that a collision will occur.
Because of this, other cryptographic hash functions have been created. While MD5 generates a 32-character value, SHA-1 generates 40 characters and SHA-2 (512) generates 128. The larger the number of characters in the checksum, the lower the chance that a collision will occur.