312-50V11 · Question #213
How can rainbow tables be defeated?
The correct answer is A. Password salting. Password salting defeats rainbow table attacks by adding a unique random value to each password before hashing, making every precomputed hash lookup table invalid.
Question
How can rainbow tables be defeated?
Options
- APassword salting
- BUse of non-dictionary words
- CAll uppercase character passwords
- DLockout accounts under brute force password cracking attempts
How the community answered
(60 responses)- A90% (54)
- B3% (2)
- C2% (1)
- D5% (3)
Why each option
Password salting defeats rainbow table attacks by adding a unique random value to each password before hashing, making every precomputed hash lookup table invalid.
A rainbow table is a precomputed database mapping common inputs to their hash values, allowing an attacker to reverse a stolen hash almost instantly. Salting prepends or appends a unique random string to each password before hashing, so even two identical passwords produce entirely different hash values. This forces an attacker to recompute a separate rainbow table for every unique salt, which is computationally infeasible and effectively neutralizes the attack.
Using non-dictionary words protects against dictionary and wordlist attacks, but rainbow tables can be precomputed for arbitrary character strings, so this does not defeat them.
Restricting passwords to all uppercase only marginally reduces the keyspace and does not prevent rainbow tables, which can be precomputed for any character set including uppercase-only inputs.
Account lockout prevents online brute-force attempts against a live login service but provides no protection against offline rainbow table attacks performed against a stolen password hash database.
Concept tested: Password salting to defeat precomputed rainbow table attacks
Source: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
Topics
Community Discussion
No community discussion yet for this question.