When you crack NTLM hashes with RainbowCrack using a rainbow table you generated yourself, why does it find some passwords but not others?
A rainbow table only covers the exact (algorithm, charset, length range) it was built for — passwords outside that coverage simply aren't in any chain, so they can't be found.
* Hash chains alternate hashing and reduction functions. — Dake, CC BY-SA 2.5, via Wikimedia Commons. *
The workflow:
- Generate an NTLM table with WinRTGen (e.g. lengths 4-6,
loweralphacharset) - Open RainbowCrack (
rcrack_gui.exe) and load the NTLM hashes from the PWDUMP file - Point it at your generated table — it starts cracking automatically
Why coverage is partial:
Your table was built for, say, lowercase passwords of length 4-6. So:
- A password like
haus(lowercase, in range) → found - A password with uppercase, digits, symbols, or length 7+ → not in the table → not found
This is the whole point to notice: a rainbow table is a fixed precomputed structure, not magic. Anything outside its charset/length window is invisible to it.
Speed vs Ophcrack:
A small, targeted self-made table can crack the passwords it does cover very fast (fewer, denser chains for a narrow keyspace) — often dramatically faster than a large general-purpose table like Ophcrack's, which spreads its chains over a much wider keyspace.
The lesson:
Choosing a password outside common table charsets (length 12+, mixed character types) is exactly what makes rainbow-table attacks fail — there's no chain that ever generated your password.
Tip: This is the practical flip side of the salting card: even without a salt, a long enough or unusual enough password falls outside any feasible table's coverage.
Go deeper:
Rainbow table (Wikipedia) — coverage depends on charset, length range and chain count; passwords outside the keyspace are never in the table.