Rainbow Tables
The Rainbow Table is the time used to take a cracking computation and storing those results in files. This is the technique Philippe Oechslin developed in order to implement a faster time-memory trade-off. Ophcrack is an example of a time-memory trade-off using rainbow tables in order to crack Windows passwords.
Some business oriented hackers decided that they start a RainbowCrack service by allowing anyone to pay a subscription fee and provide password hashes to crack.
http://www.rainbowcrack-online.com/
“Because of the problems, the U.S. government is requiring that banks move towards two-factor authentication, where the typical password security is augmented by a biometric or a physical security device. Some security researchers maintain that even adding a second type of security check is not enough.”
“Rainbow tables side step the difficulty in cracking a single password by instead creating a large data set of hashes from nearly every possible password. To break a password, the attacker merely looks up the hash to find the password that produces that code.”
http://www.securityfocus.com/news/11355
More on Rainbow Tables can be found at : http://en.wikipedia.org/wiki/Rainbow_table
Any one-way hash that includes a salt is ineffective to a rainbow table and can be a
defense. In cryptography, a key derivative function is a hash function derived from one or
more secret keys from secret values/information. Salts consists of random bits used as one
of the key derivative function inputs.
“MS-Windows is one of the rare operating systems, with few routers, firewalls and databases, that uses salt-less hashes, making the attack possible. Both hashes found in Windows, the LanManager hash and the NT hash have no salt.”
“If you don’t want your password to be cracked, you should definitely stay away from the LanManager hash (you can disable it in Windows 2000, XP and 2003).”
https://www.isc2.org/cgi-bin/content.cgi?page=738
Jim Moore, an Information Security Officer from the Rochester Institute of Technology states:
“A couple of weeks ago I was at the New York State Cyber-Security Conference. It was there that a presenter with good knowledge of the black hat community said that 16 character rainbow tables would be done by the end of 2006.”
http://listserv.educause.edu/cgi-bin/wa.exe?A2=ind0607&L=security&T=0&H=1&P=2422
It will soon be normal to have larger than atleast 16 characters as a password. Get ready for a security break-through. This is the future of technology.
An advice for everybody involved or using technology in anyway, change your passwords regularly (make them longer as well) and backup ALL IMPORTANT data.