Security Now! Episode 134

For those who are not familiar with Security Now!, I highly recommend it.  It's a great podcast and I have certainly learned a thing or two but it's not without it's flaws, some of which go uncorrected.  This is one of those uncorrected yet important flaws that I've mentioned to Steve using his feedback form but sadly got no mention on the air...

In episode 134 Steve Gibson says the following regarding rainbow tables (thanks to the transcripts on their site):

They (rainbow tables) are nothing however, other than precomputation hash tables.  That is to say, the idea being that you could take all kinds of common dictionary-based words. (and hash them into a table)

Rainbow tables are all kinds of phrases and dictionary words and combinations of words that have painfully, in terms of compute time, been hashed once.

...determining the MD5 hashes for a huge number of common phrases and passwords, and they'd save them.

Rainbow tables not necessary

It's not hard to compute hashes for a finite list of common dictionary-based words or phrases.  That's called a dictionary attack and such attacks are not intensive at all because you have a list of words or phrases to test.  Dictionary attacks don't require the use of rainbow tables.  To be fair, if you have a good rainbow table it is faster than a dictionary attack but hashing every word even in the largest password dictionaries available online is not a problem for consumer PCs.  Of course this depends on what hashing algorithm you're using but we'll assume MD5 since that's what Steve mentions.

Back in college before rainbow tables were popular and CPUs were far less powerful, we performed some password strength testing and were able to crack common phrases within minutes without the use of rainbow tables, only dictionaries.

So a rainbow table full of common words is unnecessary. Rainbow tables are most useful when you have random passphrases.