Length of passwords that are rainbow table safe

Question

With large computing power (like what you can get in the Amazon cloud for example) you can generate huge rainbow tables for passwords. There also seems to be some large rainbow tables reachable that you have to pay for.

What are the largest tables that secret services could possibly use and what's the maximum characters you can have for the password?

I am wondering how long passwords should be considered when you choose a new password yourself? (This is not the question here!)

What is the maximum password-length those huge underground rainbow-tables (used by evil forces) are hosting?

Answer 1

Length of the password, and size of the rainbow table, are red herrings. Size does not matter. What matters is entropy.

Rainbow tables are not really relevant here, for two main reasons:

1. Building the table is expensive. A table "covers" a number of possible passwords; let's call it N. There are N distinct passwords that will be broken through the table. No other will be. It so happens that every single one of these N passwords must have been hashed during table construction. Actually, a lot have been hashed several times; building a table which can crack N passwords has a cost of roughly 1.7*N hash invocations. That's more expensive than brute force. In fact, brute force requires on average 0.5*N hashes, so the table building costs more than three times as much.

   Thus, a rainbow table is worth the effort only if it can be applied at least four times, on four distinct password hashes that shall be cracked. Otherwise, it is a big waste of time.

2. Rainbow tables cannot be applied more than once. That's because of salts. Any password hashing which has been deployed by a developer with more brain cells than a gorilla uses salts, which are non-repeating variation parameters. The effect of salts is equivalent to using a different hash function for each user. Since a rainbow table must be built for a specific hash function, one at a time, it follows that a rainbow table will be able to crack only one password hash in all. Combine with the previous point: rainbow tables are simply not useful.

Now, of course, there are a lot of deployed systems where passwords are not hashed with human-level competency. Ape-driven development has resulted in many servers where a simple unsalted hashing is used; and even servers where passwords are stored as cleartext or some easily reversible homemade encoding. But one could say that if your password is to be managed by such sloppily designed systems, then extra password entropy will not save you. A software system which utterly fails at applying sane, documented techniques for protecting a password, which is the archetypal sensitive secret data, is unlikely to fare any better in any of its other components. Crumminess and negligence in software design are like cockroaches: when you see one, you can be sure that there are hundreds of others nearby.

---

Now let's assume that reasonable password hashing was employed, combining salts (to defeat table-based and parallel attacks) and configurable slowness (to make hashing more expensive). E.g. bcrypt. This answer is a lengthy exposition of how passwords should be hashed.

For instance, consider a server using bcrypt, configured so that, on that server, verifying a password hash takes 0.01s worth of CPU time. This would still allow the server to handle 100 user logons per second, an extremely high figure, so the server will not actually devote a lot of its computing power to password hashing.

Now, imagine an attacker who got his hands on some password hashes, as stored on the server (e.g. he stole an old backup, or used an SQL injection attack to recover parts of the database). Since bcrypt is salted, the attacker will have to pay the full brute force attack cost on each password; there is no possible parallel cost sharing, and, in particular, no precomputed tables (rainbow or not) would apply.

Our attacker is powerful: he rents one hundred servers of computing abilities similar to the attacked server. This translates to 10000 password tries per second. Also, the attacker is patient and dedicated: he accepts to spend one month of computing on a single password (so that password must protect some very valuable assets). In one month at 10000 passwords per second, that's about 26 billions of passwords which will be tried.

To defeat the attacker, it thus suffices to choose passwords with enough entropy to lower the success probability of the attacker to less than 1/2 under these conditions. Since 26 billions is close to 2^34.6, this means that the password entropy shall be at least 35.6 bits.

Entropy is a characteristic of the method used to generate the password, and only loosely correlated with the length. Password length does not imply strength; length is just needed to make room for the entropy. For instance, if you generate a password as a sequence of random letters (uppercase and lowercase), then 7 characters accumulate almost 40 bits of entropy, which, by the calculations made above, should be fine. But this absolutely requires that the letters are chosen randomly, uniformly, and independently of each other. Not many users would go to the effort of using a computer PRNG to produce a new password, and then accept to learn it as it was generated (I do that, but when I explain it to my work colleagues they look at me in a weird way).

As this famous question hints at, human memory can be at odds with entropy, and a longer password with more structure may be a better trade-off. Consider that the "correct horse" method ends up with "only" 44 bits of entropy for 25 letters or so (by the way, take note that a 25-letter password can have less entropy than an 8-letter password). The extra typing can be worthwhile, though, if it allows an average user to remember a 40-bit entropy password.

---

Despite all the propaganda of Hollywood movies, Secret Services rarely involve stupendously advanced technology (for that matter, they are also quite short on dry Martinis, leggy blondes and motorbike chases). Any rationally managed Secret Service will avoid spending 10k$ on breaking your password, since 1k$ will be more than enough to hire two goons to break your kneecaps. Ultimately, this is all a matter of relative cost.

So let's get practical. To generate a password, use this command on a Linux system:

dd if=/dev/urandom bs=6 count=1 2> /dev/null | base64

This outputs a password consisting of eight characters among lowercase letters, uppercase letters, digits, '/' and '+'. It is easily shown that each such password offers a whooping 48 bits of entropy. The important rules are:

1. Generate the password and then accept it. Don't go about producing another one if you don't like what you got. Any selection strategy lowers your entropy.
2. Don't reuse passwords. One password for each site. That's the most important damage containment rule. If you have trouble remembering many passwords, you can "write them down" (password managers like KeePass may help).
3. If 48 bits of entropy are not enough, then you are using a password in a weak system, and that is what you need to fix.
4. Your enemies are after your money, not your freedom. Don't try to defeat phantasmagorical three-letter agencies; concentrate on mundane criminals.

Answer 2

To answer your revised question:

As for the maximum precomputed password length, there isn't one. Precomputed password hashes are precomputed from dictionaries, not from sequential scans of the keyspace. While some sequential generation of very short passwords may be common, it typically isn't more than just a few characters. The space requirement for storing all the 256-bit hashes for 8-character passwords is on the order of exabytes; not beyond technical capability, but certainly beyond any sort of cost-benefit consideration.

Plus, if the server storing the passwords uses salts for each one, then the whole precomputation idea goes out the window. Done. No rainbow tables. They no longer work. Salted hashes are resistant to rainbow tables, as explained here.

Still, you're thinking about it wrong

The length of the password is entirely irrelevant. All that matters -- the only thing that matters, is how many passwords will the attacker try before guessing the correct one, and how long does each guess take?

If the attacker guesses your password first, then no amount of complexity will save you, and no amount of server-side storage complexity will save you. It's as easy for the attacker to log in as it is for you. Game over.

If your password is on the list, but it's 500 down from the top, then the amount of time required for the attacker to get to yours is 500 times the amount of time each attempt takes. If it takes 1 second per password, then you've got about 8 minutes. Will the attacker give up after 5 minutes? If he does, then you're safe. If he doesn't, then you're not.

Per your original point, if your password is on the top 500 list, then the precomputed hashes will be available. Obviously that only matters if the passwords aren't stored salted.

If your password is random, and comes from a 48-bit keyspace (approx. 8-characters alphanumeric), then on the average the attacker will have to try attacker must try 2⁴⁷ passwords before getting to yours. How long will that take? If the passwords are store with PBKDF2 tuned to ⅕ second per attampt (as LUKS uses), then it'll take just under 1 million years to guess your password.

On the other hand, with the same password, if he has the hardware to try 5 million guesses per second, then you're down to just under a year. 5 billion and it's less than a day.

A better way to do it

My advice is to use a random, unguessable password that you don't remember, but rather store in a browser-integrated password manager like KeepPass, LastPass or 1Password. In that case, there's no additional cost to you between 6 characters and 24, so you might as well choose a long one -- say 14 or 18 character. That should be more than enough.

The key here is the browser-integrated password manager. An attacker guessing your random password is not the attack vector your care about. It's not going to happen. Instead, you care about phishing. That's much more likely to happen, and browser-integrated password managers will save you.

Answer 3

Assuming 256bit (32 byte) hashes and assuming you want to cover all possible passwords with 80 different characters (26 lowercase, 26 uppercase, 10 numbers, 18 other characters), these are the required rainbow-table sizes. I calculated this using the formula (80 ^ length ) * (32 + length).

However, keep in mind that the table below is for all possible combinations of 80 different characters. When you use less characters or only create the hashes for passwords which follow certain patterns (like all l337speak permutations of words in the dictionary), you end up with a lot less space.

Length Size  Unit  
1        2.5 KiloByte          
2      212   KiloByte
3       17   MegaByte
4        1.3 GigaByte
5      112   GigaByte
6        9   TeraByte
7      744   TeraByte
8       59   PetaByte
9        4.7 ExaByte
10     391   ExaByte
11      31   ZettaByte
12       2.5 YottaByte

Decide for yourself which order of magnitude is still within plausible technical abilities of the attackers you consider. But when you want my opinion, I think that:

• A 5-character rainbow table (112 GB) is small enough to exchange it over todays broadband internet
• 6 characters (9 TB) is the limit of what a hobbyist or independent professional cracker can handle with consumer-grade hardware
• A 7-character rainbow table (744 TB) would fit into a SAN rack in a datacenter, so it would be within the technical abilities of a professional company to store such a table.
• An 8-character rainbow-table with 59 PB is technically quite challenging, but databases of that scale exist: Facebook manages a database with over 100PB of data, CERN has a database of 200PB of data generated by the LHC experiments. So it is within reach for a really large corporation or a government-agency with a million-dollar budget.
• 9 characters and above seems implausible with todays technology.

Answer 4

I am the author of the http://passwordcreator.org/ website. I built the site because I wanted an easier way to generate secure passwords for myself. While doing the research for the site, I learned a great deal about secure passwords.

There are distributed password crackers out there that can make 100 billion guesses per second. The NSA which is government sponsored (large budget) may be able to do an order of magnitude more.

To be secure for a year or more from this type of attack, your password must be chosen randomly from several quintillion possibilities. For password constructed randomly from the 95 characters available on most keyboards, that means that you need at a password that is at least 10 characters long for decent security right now.

If you password is generated in other ways (there are several algorithms available on my site), your password may have to be even longer to achieve the same resistance against guessing.

At 10 characters, I pretty much have to write down my random password. If that is the case for you as well, I would recommend that you increase the length to at least 14 characters which will remain secure for a longer period of time.

Answer 5

From Robert Graham excellent blog http://blog.erratasec.com/2011/06/password-cracking-mining-and-gpus.html

This is only true for random passwords, with an attacker going for exhaustive search. When attacking real people passwords, you try other approaches first.

Answer 6

Tom Leek's accepted answer is excellent. Entropy is important here, but only in context. Password length must not be neglected.

His example of an 8-character string taken from a pool of mixed case, numerals and "+/" to create a password having "a whooping 48 bits of entropy" is misleading. Here's why:

Roughly two years before this question was asked there existed, in 2012, 25-GPU Clusters that could run through every possible eight-character password containing upper- and lower-case letters, digits and symbols in less than 6 hours.

It's 2015, and while entropy is key, a string of 8 characters will never be secure enough, because in an exhaustive password search, length is the key factor, not entropy!

For example, three years ago the password Fail!007, with all of its randomness, could be brute-forced in 5.5 hours, but the passphrase this is a fail could not. To understand why we have to look at the Search Space Size, or the sum total of all possible passwords with the alphabet size up to and including the password's length.

Fail!007 with eight characters (upper, lower, numeric and symbol), has a Search Space of 6,704,780,954,517,120 or 6.70 x 10¹⁵. Yet the passphrase this is a fail, six characters longer (all mere lowercase letters), is in the Search Space of 6,300,168,733,803,741,204,487,980 or 6.30 x 10²⁴ possibilities. That's a huge difference.

If we could try one hundred trillion guesses per second, Fail!007 would fall in 67 seconds. However, this is a fail would take 20 centuries to exhaustively search the space.

Even the slightly juvenile phrase 8 is 2 small would require 3.7 years and would hold up far longer than the more unpredictable Fail!007.

Length trumps entropy.

To sum up, think passphrase, not password and make your credential longer than eight characters. Even though you inquired about them, as Tom pointed out, Rainbow Tables won't be used in the attack. Instead, I believe a dedicated hacker will use dedicated hardware that, three years ago, could only rip through a scant 95⁸ password combinations in five and half hours.

Rainbow Tables aren't the threat, dedicated cracking hardware is. Just imagine what that hardware will be able to do tomorrow.