Are Rainbow Tables Attacks even a threat?

Question

let's just assume a simple non salted hash function, just a plain old $hash = md5($pass).

Premises:

1. the password hashing all takes place server side, and the hashes are stored in the database. The client has no way to see these.
2. a rainbow table attack must have knowledge of the hashes in order to retrieve passwords.

Given premise 2., that would mean that the hacker already has control of the database, in which point you have a much bigger problem on your hand.

So, is the point of trying to foil a rainbow table attack simply to protect the retrieval of passwords from an already compromised database/system. Is it that simple or is there something else that I am missing.

I'm already familiar with password hashing techniques, but am just wondering why there is so much hype about rainbow tables. Thanks!

Answer 1

Yes.

Many people use the same password for everything. Compromising the original password (as opposed to simply changing it to something you know) can often give an attacker access to someone's accounts on other services.

Rainbow tables are also much less computationally intensive (simple lookup) than a dictionary attack (which requires hashing) or brute force (which requires a lot more hashing).

Use strong, unique passwords!

Answer 2

1. Password compromise doesn't require control of the database. What if I break into your car and steal a stack of DVDs with database dumps? You do back up your database, right?
2. As mentioned, people use the same password for multiple sites. HBGary fell victim to this when they were hacked by Anonymous recently. One server with an SQL injection vulnerability turned into a much larger compromise.
3. If I have access to your database for five minutes and get the hash, I now have access to your account until you change the password.
4. Salt is cheap.
5. You should use a key derivation function anyway, not a salt.