Deepak Gupta

Rainbow Table.

A precomputed lookup table mapping common passwords to their hashes, used to reverse unsalted password hashes by lookup instead of cracking.

Rainbow tables answer the question "why do we salt?" — without salt, every user with the same password has the same hash, and the attacker only needs to lookup hashes from one giant precomputed table. With salt, the precomputation is per-user, which means the attacker has to start over for every user, which means rainbow tables stop being a viable attack.

Modern systems using Argon2id, bcrypt, or scrypt with proper per-user salts are not vulnerable to rainbow tables. The legacy threat lives in databases still storing SHA-1 or unsalted MD5 — and those exist in production more often than you would hope, particularly in older PHP and Java applications that were never migrated.

Common questions

Why does salting defeat rainbow tables?

Are rainbow tables still a threat in 2026?

Is a rainbow table the same as a brute-force attack?

Related terms

In the guides

Password Security and Storage: Hashing, Salting, and What Actually Works in 2026
Passwords still exist, and storing them correctly still matters. The 2026 production-grade answer: Argon2id with per-user salt, optional pepper, no fast hashes, no reversible encryption.