Your company sells toys online and ships globally. The shopping website employs a weak password policy and stores the customer’s password as an MD5 hash in the database. After conducting a password assessment, the report discloses that many customers use the notorious naive password ‘0000’. Which of the following can best address the vulnerability to mitigate rainbow table attacks?
A. Replace MD5 with SHA2
B. Implement cell-level encryption in the database
C. Prepend or append strings before computing hashes
D. Employ initialization vector to increase entropy

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Prepend or append strings before computing hashes.

SecurityStamp as Salt

A “salt” is a random string prepended or appended to a password to compute the password hash to mitigate the rainbow table attack, which is a table of precomputed hashes of default, naive, well-known, or commonly used passwords.

Rainbow tables in different types of hashes, e.g., MD5, SHA, are almost publicly available on the internet. It’s no use to replace MD5 with SHA2.

Encrypting passwords does mitigate rainbow table attacks because attackers have to decrypt the encrypted passwords first to conduct rainbow table attacks. However, it does not address the problem directly. So, this is not the best answer.

The initialization vector (IV) is one type of “nonce” (number used once). It is commonly used in block ciphers to avoid repetitive patterns and confuse the ciphertext.

• The IV can be publicly available as it is not the secret key that must be kept secret.
• The IV is not a salt. A salt is reused to compute password hash in the authentication process and must be kept secret (at the server side); it is typically changed when the password is changed.

Entropy is a measure of randomness. It measures how good or strong a Random Bit Generator (RBG) or key generator is.

您的公司在線銷售玩具並在全球範圍內發貨。 購物網站採用寬鬆的密碼政策，並將客戶的密碼以MD5取雜湊後存在數據庫中。 進行密碼評估後，該報告顯示許多客戶沒有更改默認密碼“ 0000”。 以下哪項最能解決該漏洞以防止彩虹表(rainbow table)攻擊？
A.用SHA2替換MD5
B.在數據庫中實現欄位級(cell-level)加密
C.在計算雜湊值之前添加或添加字符串
D.使用初始向量(initial vector)來增加熵(entropy)