Logo

MonoCalc

/

Rainbow Table Demo

Encode/Decode
64 hex chars

About This Tool

🌈 Rainbow Table Demo – Build, Lookup & Understand Hash Attacks

A rainbow table is one of the oldest and most effective techniques for cracking hashed passwords. This interactive demo lets you build a real mini rainbow table in your browser, perform instant hash lookups, compare salted vs. unsalted hashes, and animate rainbow chains — giving you hands-on insight into why plain hash storage is dangerous.

🗂️ What Is a Rainbow Table?

When websites store passwords, they typically store the hash of the password rather than the password itself. A rainbow table is a precomputed dictionary that maps common hash digests back to their original plaintext values. An attacker with such a table can recover a password in O(1) time — instant, regardless of password complexity — simply by looking up the hash.

For example, the MD5 hash of password is always 5f4dcc3b5aa765d61d8327deb882cf99. Any site that stores that hash without a unique salt exposes every user who chose "password" to a single table lookup.

🔧 How to Use This Tool

  • Build Table: Paste a list of words (one per line) and choose an algorithm (MD5, SHA-1, SHA-256, or SHA-512). Click Generate Table to hash every word and store the digest→plaintext mapping. Up to 10 000 words are supported.
  • Hash Lookup: After building a table, paste any hash digest and click Look Up Hash. The tool performs an O(1) lookup and reports the matching plaintext and elapsed time in milliseconds.
  • Salt Demo: Enter a salt string and compare salted hashes side-by-side with their unsalted counterparts. Watch how every hash changes completely — making your table useless.
  • Chain Visualiser: Enter a starting word and chain length to animate one full rainbow chain — the alternating hash→reduce→hash cycle that underpins classic rainbow table compression.

🔐 Supported Hash Algorithms

The tool supports four widely known algorithms, using the Web Crypto API for SHA variants and crypto-js for MD5 — all running entirely in your browser, with zero server contact.

AlgorithmDigest lengthSecurity status
MD532 hex chars (128 bits)⚠ Cryptographically broken
SHA-140 hex chars (160 bits)⚠ Deprecated for security
SHA-25664 hex chars (256 bits)✅ Secure for data integrity
SHA-512128 hex chars (512 bits)✅ Secure for data integrity
SHA-256/512 ≠ safe for passwords
Even SHA-256 and SHA-512 are not suitable for storing passwords directly. They are designed to be fast — exactly what attackers want. Use purpose-built slow hash functions like bcrypt, scrypt, or Argon2 for passwords.

🧂 Why Salting Defeats Rainbow Tables

A salt is a random string added to a password before hashing. Because every user gets a unique salt, two users with identical passwords produce completely different hashes. To use a rainbow table against salted hashes, an attacker would need a separate table for every possible salt value — computationally infeasible. The Salt Demo tab makes this visible: flip on a salt and watch every hash change instantly.

The formula is simple: hash(salt + password) or hash(password + salt). This tool lets you choose both positions to observe that either placement works equally well.

⛓ How Rainbow Chains Work

Classic rainbow tables go a step further to save storage. Instead of storing every plaintext→hash pair directly, they store chains built by alternating between a hash function and a reduction function:

P₀ → hash → H₀ → reduce → P₁ → hash → H₁ → reduce → P₂ → …

Only the chain start (P₀) and end (Hₙ) are stored. To crack a hash, the attacker applies the reduction function and walks forward until they reach a known chain end, then replays the chain from the start to recover the plaintext. The Chain Visualiser tab animates this process step by step.

🛡️ Practical Takeaways for Developers

  • Never store plain hashes of passwords — MD5, SHA-1, SHA-256, and SHA-512 are all vulnerable to rainbow table and dictionary attacks.
  • Always use adaptive, slow hash functions: bcrypt, scrypt, or Argon2. These include built-in salting and are designed to remain computationally expensive as hardware improves.
  • Use unique salts per user — even a 16-byte random salt makes rainbow tables completely ineffective.
  • MD5 and SHA-1 are broken — they have known collision vulnerabilities and are deprecated for all security-sensitive uses. Use SHA-256 or higher for data integrity checksums, and bcrypt/Argon2 for passwords.
All computation is local
This tool uses your browser's built-in Web Crypto API and the crypto-js library. No data — passwords, hashes, or word lists — ever leaves your device. Safe to use with test data; still avoid real production credentials as best practice.

Frequently Asked Questions

Is the Rainbow Table Demo free?

Yes, Rainbow Table Demo is totally free :)

Can I use the Rainbow Table Demo offline?

Yes, you can install the webapp as PWA.

Is it safe to use Rainbow Table Demo?

Yes, any data related to Rainbow Table Demo only stored in your browser (if storage required). You can simply clear browser cache to clear all the stored data. We do not store any data on server.

What is a rainbow table and how does this tool demonstrate it?

A rainbow table is a precomputed database mapping hash digests back to their original plaintext values. This tool lets you build a mini rainbow table by hashing a word list with MD5, SHA-1, SHA-256, or SHA-512, then instantly look up any hash to recover the original password — exactly the way real offline attacks work.

How does this Rainbow Table Demo tool work?

Enter a list of words (one per line), choose a hash algorithm, and click Generate. The tool hashes every word in your browser using the Web Crypto API (SHA variants) or crypto-js (MD5) and stores the digest→plaintext pairs in memory. You can then look up any hash to see if it matches a word in the table.

Why does adding a salt defeat rainbow tables?

A salt is a random string combined with the password before hashing. Because every salted hash is unique to that specific salt value, an attacker would need a separate rainbow table for every possible salt — making precomputed tables impractical. The Salt Demo tab lets you compare identical words hashed with and without a salt side by side.

What is a rainbow chain and how is it different from a simple lookup table?

A classic rainbow table uses chains of alternating hash and reduce operations to compress many plaintexts into a single row, trading storage for slightly slower lookups. A simple lookup table stores every hash directly. The Chain Visualiser tab animates this hash→reduce→hash… cycle so you can see the structure of a real rainbow chain.

Which hash algorithms are supported and which are considered safe?

The tool supports MD5 (32 hex chars), SHA-1 (40 hex chars), SHA-256 (64 hex chars), and SHA-512 (128 hex chars). MD5 and SHA-1 are cryptographically broken for security use. SHA-256 and SHA-512 are still secure for non-password data, but for storing passwords you should use bcrypt, scrypt, or Argon2, which are deliberately slow and resist GPU-based attacks.

Is it safe to enter real passwords in this tool?

All computation happens entirely in your browser — no data is sent to any server. Even so, best practice recommends using test or dummy passwords in any web-based tool rather than real production credentials.