A website is breached, exposing the usernames and MD5 password hashes of its entire user
base. Many of these passwords are later cracked using rainbow tables. Which of the following
actions could have helped prevent the use of rainbow tables on the password hashes?
A.
use salting when computing MD5 hashes of the user passwords
B.
Use SHA as a hashing algorithm instead of MD%
C.
Require SSL for all user logins to secure the password hashes in transit
D.
Prevent users from using a dictionary word in their password
Explanation:
How does this prevent a rainbow table attack?
I believe the answer should be A, when salting is added to the computation it makes it much more difficult to use a Rainbow table.
But if the password file is salted, then the rainbow table would have to contain “salt . password” pre-hashed. If the salt is sufficiently random, this is very unlikely. I’ll probably have things like “hello” and “foobar” and “qwerty” in my list of commonly-used, pre-hashed passwords (the rainbow table), but I’m not going to have things like “jX95psDZhello” or “LPgB0sdgxfoobar” or “dZVUABJtqwerty” pre-computed. That would make the rainbow table prohibitively large.
So, the salt reduces the attacker back to one-computation-per-row-per-attempt, which, when coupled with a sufficiently long, sufficiently random password, is (generally speaking) uncrackable.
Salting can be used to strengthen the hashing when the passwords were encrypted. Though hashing is a one-way algorithm it does not mean that it cannot be hacked. One method to hack a hash is though rainbow tables and salt is the counter measure to rainbow tables. With salt a password that you typed in and that has been encrypted with a hash will yield a letter combination other than what you actually types in when it is rainbow table attacked.
The correct answer is A