78

Apparently Yahoo was hacked yet again with up to a billion user accounts being compromised. The article says Yahoo uses MD5 for password hashing.

Are the hackers likely to be able to crack the passwords too? How long will it take to crack 1 password? Is the time to crack 1 billion , just 1B * t ?

Monty Harder
  • 476
  • 3
  • 6
soadyp
  • 895
  • 2
  • 7
  • 11
  • 25
    This cannot be properly answered since anyone who simply used one of the most common insecure passwords like 12345 or Password123 will be done in seconds. But secure and longer passwords will take a lot more time. – Julian Knight Dec 15 '16 at 07:44
  • 4
    Some team build a computer that could do [350 billion guesses per second](http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/)... and that was in 2012. – Jacco Dec 15 '16 at 08:13
  • 47
    Don't forget this happened in 2013 - most of the passwords could already be cracked. – grc Dec 15 '16 at 12:24
  • 11
    To quote from the site *“Based on further analysis of this data by the forensic experts, we believe an unauthorized third party, **in August 2013**, stole data...* – xanatos Dec 15 '16 at 13:51
  • 2
    Most of the passwords have been cracked _before the hack even happened_. There are numerous databases with precalculated hashes, and even online services which let you search for a match: http://md5decryption.com/ –  Dec 15 '16 at 13:59
  • 1
    @grc Unless they're using MD5 as the base for a prf, I'd say that after 3 years, they've got everything they're ever going to. – Leliel Dec 15 '16 at 18:29
  • 1
    @soadyp Some passwords will be MUCH easier to crack than others. For instance, if you made the mistake of using one of the most common (and short) 10,000 passwords, those can be rainbow tabled in linear time, yes. For people who used longer-and-more-complex passwords, MD5 still has 123 bits of complexity. And the time to break each password will depend on its length-and-complexity, which will take greater than linear time to crack. – john_science Dec 15 '16 at 18:45
  • I find inexcusable that a site with such a large database would use simple MD5 hashes unencrypted in the database. I would personally take a SHA256 hash of the password, use that to encrypt the public key to their generated private RSA key with AES, and store the encrypted cipher in the database. If someone gets the database, they still need to A) figure out the password to hash, B) use the hash to decrypt the cipher, and C) use the decrypted cipher as my public key to try to decrypt other stuff (typically account details). And even if they do, they have access to ONE account. – Drunken Code Monkey Dec 16 '16 at 02:25
  • I read after i posted the Question, that it relates to an Incident in AUG 2013. Im not sure why this suddenly became a news topic again. I changed my password for the 2nd time on Yahoo inside 2 years. – soadyp Dec 16 '16 at 08:18
  • 1
    @soadyp - it's news because we now know that a significant number more than originally thought had been stolen, this information is new. – James Snell Dec 16 '16 at 09:52
  • Hmmm, I wonder if Yahoo salts the passwords before hashing... – Radu Murzea Dec 16 '16 at 09:56
  • You need to understand that since day one that MD5 was invented, a multitude of actors (good or bad) had started working towards building a complete hash database of character combinations and their resulting hash (most likely at least all Permitations of the 128 US-ASCII characters in sets of at least 15-20) So this means that in the wrong hands, his can be cracked in seconds since big data lookup is ever increasingly faster – dwkd Dec 17 '16 at 02:20
  • 4
    Most likely the correct question would be "how long *did* it take"... – user541686 Dec 18 '16 at 00:42

4 Answers4

68

Yes, they were likely able to crack many of the passwords in a short time.

From the official Yahoo statement:

For potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.

MD5 is a disputable choice for password hashing because its speed makes cracking MD5-hashed passwords really fast. Also, they are likely not salted, since Yahoo would have certainly let us know. (A salt would have helped to prevent the use of rainbow tables while cracking.)

You can see the drawbacks of simple MD5 hashing when you compare it with the Ashley Madison breach in 2015 which leaked 36 million accounts. In that case, they used bcrypt with 212 key expansion rounds as opposed to Yahoo's plain MD5 which is why back then researchers could only decipher 4,000 passwords in a first attempt.

From the article:

In Pierce's case, bcrypt limited the speed of his four-GPU cracking rig to a paltry 156 guesses per second. [...] Unlike the extremely slow and computationally demanding bcrypt, MD5, SHA1, and a raft of other hashing algorithms were designed to place a minimum of strain on light-weight hardware. That's good for manufacturers of routers, say, and it's even better for crackers. Had Ashley Madison used MD5, for instance, Pierce's server could have completed 11 million1 guesses per second, a speed that would have allowed him to test all 36 million password hashes in 3.7 years if they were salted and just three seconds if they were unsalted (many sites still do not salt hashes).

So, cracking a large portion of the Yahoo passwords is a matter of seconds (while some stronger passwords will remain unbroken). An exact answer would depend on the available computation power and the password security awareness of Yahoo customers.

1As @grc has noted, 11 million hashes per second appears rather slow. @Morgoroth's linked 8x Nvidia GTX 1080 Hashcat benchmark (200.3 GH/s for MD5 total) is a good resource for more up-to-date measurements.

Community
  • 1
Arminius
  • 43,922
  • 13
  • 140
  • 136
  • 29
    11 million guesses per second seems quite slow for MD5. – grc Dec 15 '16 at 07:52
  • 3
    *"The MD5 algorithm is obsolete and cracking MD5-hashed passwords is super-fast."* You make it sounds like MD5 is a broken hashing algorithm. And yes, MD5 certainly has flaws, but it's still fine for password hashing. However, using a single round of *any* hashing algorithm is wrong. MD5 as PRF is perfectly fine, just like SHA1/SHA2/etc. – Luc Dec 15 '16 at 07:52
  • So if Yahoo didnt SALT, we are looking at weeks and all/most passwords are cracked. Wow, I will give people a chance to comment before marking correct answer. – soadyp Dec 15 '16 at 07:59
  • 6
    @Luc MD5 as PRF, sure. But MD5 for a password that should not be easily recovered in case of a breach? Why wouldn't there be a slower function the better choice? – Arminius Dec 15 '16 at 08:01
  • @Luc I softened the statement a little. – Arminius Dec 15 '16 at 08:11
  • @Luc I agree with you in principle, but had they used multiple rounds I assume they would have mentioned it, as it would had made them look a little better. – Anders Dec 15 '16 at 08:45
  • @Anders that's not the point. The point is that *any* hashing algorithm would have been just as bad, but instead people keep repeating how terrible a choice md5 in particular is. What you need is an algorithm designed for password storage like bcrypt (as we, on this site, all know). – Luc Dec 15 '16 at 09:07
  • 40
    "Also, they are likely not salted, since Yahoo would have certainly let us know" - How on Earth could a tech company as large as Yahoo not have been salting their password hashes?!? If this is true, it's inexcusable. – aroth Dec 15 '16 at 12:06
  • 30
    @aroth Really? Is this your first time hearing of a big hack? Until fairly recently it was pretty common to hear about passwords stolen _in plain text_. Its still totally inexcusable, but you shouldn't see it as so surprising. – David says Reinstate Monica Dec 15 '16 at 15:02
  • 16
    @Luc the thing is if you say "MD5 is fine for password hashing provided you use a big number of rounds" most people hear "MD5 is fine for password hashing" completely ignoring the rest. This way saying that MD5 is unsuitable for password hashing will at least prompt some people to ask "Okay, so WHAT is suitable?" and maybe this way we can propagate the knowledge about how to do things rights. – Maurycy Dec 15 '16 at 15:08
  • If these are unsalted passwords, then any competent hacker will already have access to a full rainbow table. Even the most "secure" passwords would break instantly if the table had them, and we've had quite a long time to generate tables of any reasonable size & complexity. –  Dec 15 '16 at 15:51
  • 7
    @Luc Anyone who doesn't already understand that "MD5 is broken for password hashing" implicitly refers to the simplistic, single hash has no business trying to roll their own many rounds hashing scheme using MD5. If a person doesn't know enough about hashing to have a discussion about it, they should be using standard implementations that handle those details for them. Full stop. Besides, isn't even multiple round hashing of MD5 more easily optimized in GPUs than others, which makes it inferior as a password hashing algorithm? – jpmc26 Dec 15 '16 at 16:47
  • @Thebluefish Anyone who watched Computerphile (on Youtube) already has a basic understanding on how to "crack" MD5 hashes. The video has enough detail on how to do it, I can link it if you want. – Ismael Miguel Dec 15 '16 at 18:18
  • 4
    @Thebluefish A rainbow table won't contain the most secure passwords. I would rate it as extremely unrealistic that anybody have ever computed a rainbow table covering 2⁹⁰ or more hashes. And if somebody had a rainbow table covering that many hashes, there would still only be 1 in 274877906944 chance that it would contain a match for my password. So the most secure passwords are still secure even if hashed with an unsalted MD5. In spite of that it is still utterly inexcusable to not be salting your hashes. – kasperd Dec 15 '16 at 21:28
  • 4
    @kasperd It sounds like your password is probably longer than Yahoo's maximum 20 character limit. I'll agree that without limits, it's very easy to make a difficult password; but these damn restrictions... –  Dec 15 '16 at 21:32
  • 4
    @Thebluefish I didn't know about the 20 character limit. That is also inexcusable. Though 20 characters chosen randomly from all of the printable ASCII characters will give you approximately 131 bits of entropy, and MD5 only has 128 bits of output. So the 20 character limit would not be the weakest link. – kasperd Dec 15 '16 at 21:41
  • 1
    @DavidGrinberg - Yes, really. The startup I was working with in 2004 knew enough to salt and hash its passwords. The medium enterprise I worked at afterwards (ca 2007) knew the same. As have the small businesses I've worked with more recently. And in this case, we're talking about a $36-billion technology company which at one point ranked as a peer to Google, and a breach which occurred in 2013. I don't see how that level of rank incompetence is possible, let alone predictable or even unsurprising. – aroth Dec 16 '16 at 03:08
  • 5
    Hashcat benchmark for a new GTX 1080.. 25 Billion hashes per second (per device) on MD5 https://gist.github.com/epixoip/a83d38f412b4737e99bbef804a270c40 – KDEx Dec 16 '16 at 07:57
  • @Luc MD5 is broken but fine for password hashing? Oh please stop saying that. MD5 is fast and that is good. But it's not usable for password hashing. Saving an MD5 or saving plaintext doesn't make a difference. Use bcrypt if you want to store passwords – BlueWizard Dec 16 '16 at 15:17
  • "in some cases, encrypted or unencrypted security questions and answers." so you are telling me they encryted their security questions but didn't used MD5 for their passwords? Yahoo get your shit together. You should not encrypt the question/answers and you should not use MD5 for the passwords. But should use bcrypt with a big amount of salt. Everything below that is just dangerous – BlueWizard Dec 16 '16 at 15:20
  • @aroth Yahoo's password database probably dates back to 1995. Plus, Yahoo is notorious for their terrible security. I would be very surprised if the passwords were salted. – Brian Dec 16 '16 at 18:52
  • Small correction: Ashley Madison DID in fact use MD5 for some of their passwords. about half of the userbase had an additional stored hash of their password with some additional data in there like a username and a fixed string suffix. These passwords were hashed with unsalted MD5 and were rather easily recovered. – Nzall Dec 17 '16 at 17:35
  • 2
    Why would anybody have even considered using MD5 for password hashing under any circumstances after about 1997(ish)? This was completely inexcusable on Yahoo's part. Utter bush-league amateur-hour baloney and no excuses. – Craig Tullis Dec 18 '16 at 02:57
  • 1
    @Craig When I installed my first Linux system in 1999, `/etc/shadow` was using salted MD5 by default. And at that time I had to use systems on a daily basis on which the original DES based `crypt` algorithm was still being used for compatibility reasons. And if a salted MD5 hash is brute forced, it is partly the users own fault for choosing such a weak password that this could happen. – kasperd Dec 18 '16 at 08:57
  • @Thebluefish When I changed my password on Yahoo in response to the breach (my account is ages old, dating back to the eGroups days; I haven't actually used Yahoo in years), the maximum length as enforced by the password change web form was 32 characters. Still inexcusable IMO (it made me have to special-case Yahoo in my password manager, and it basically prevents using anything resembling a secure passphrase) but not quite so bad as would be a maximum of 20 characters. I think Paypal has a limit of 20 characters, though... – user Dec 18 '16 at 13:15
  • @kasperd Even the UNIX DES `crypt` uses a salt. It's small by today's standards (12 bits), but it's a salt, and it was probably quite sufficient at the time. – user Dec 18 '16 at 13:21
  • @MichaelKjörling The largest problems with the DES based `crypt` is that it truncates passwords to 8 characters. The second largest problem is that the produced hash value is only 64 bits. The small salt comes in as the third worst problem. And based on my understanding of how that algorithm works, it was a totally arbitrary choice to use 12 bits. They could have had 64 bits at no extra cost. The point of my comment was that in 1997 it would be a sensible choice to go with MD5, but having no salt was inexcusable. – kasperd Dec 18 '16 at 14:21
  • @MichaelKjörling With 12 bits of salt it takes about 2⁶ passwords before you can expect to see the first salt collision. If you have 10 users and require them to change password once per year, you can expect a salt collision in about 6 years. If you have 100 users you can expect a salt collision before anybody have changed password for the first time. And many sites will have even more users than that. So I don't think 12 bits of salt was sufficient even back in those days. – kasperd Dec 18 '16 at 14:28
  • @kasperd you're not seriously suggesting that was still secure? As others have said, at least Linux password hashes were salted then, but the passwords were still truncated at 8 chars and salt was only 2 bytes. I was doing sha-1 with unlimited length passwords and 8 bytes of salt in systems I built at that time, and using HMAC algo's with multiple rounds shortly after. But too many were doing straight MD5, then straight SHA-1, and that's the only reason rainbow tables were ever even a viable attack vector. – Craig Tullis Dec 18 '16 at 15:14
  • Now, nearly 20 years later Yahoo still apparently has some straight MD5 hashes around because Mayer refused to enforce password changes/upgrades. My point is that a security-conscious, forward looking huge public Internet company would have been serious about this 20 years ago. Yahoo apparently *still* isn't serious about it. – Craig Tullis Dec 18 '16 at 15:21
  • @Craig Yes. **I am seriously suggesting that MD5 crypt was still secure in 1997**. And not just that. In 1997 MD5 was state of the art. It wasn't until 1999 that an alternative was proposed. And as of 2007, [MD5 was still the strongest NIST approved primitive supported by the crypt library](https://www.akkadia.org/drepper/sha-crypt.html). Stronger hashes are supported today. But even today the only need for hashes stronger than MD5 is to compensate for users choosing weak passwords. – kasperd Dec 18 '16 at 17:24
  • @kasperd: Since SHA-0 was published in 1993 and SHA-1 in 1995, MD5 was decidedly not state-of-the-art in 1997. Users choosing weak passwords is the norm, and you are doomed to failure trying to change that. So MD5 is inadequate on that basis alone. '97 might be a teensy bit early for my assertions, but if so, only by a year at most. Who cares what hash primitive NIST approved in 2007, respectfully. SHA-1 isn't even considered adequate today, and MD5 is far more susceptible to collisions than SHA-1. – Craig Tullis Dec 18 '16 at 17:39
  • @Craig I am specifically talking about password hashing, not cryptographic hashing in general. Additionally it takes time from a cryptographic primitive is published until it can be considered secure. – kasperd Dec 18 '16 at 17:44
  • There was a 25-GPU cluster burning through MD5 hashes at 180 billion per second in 2012. It was burning through 63 billion SHA-1 hashes per second. It only managed 71,000 bcrypt hashes per second, and 364,000 sha512crypt hashes per second. I mean, you're obviously free to use MD5 for your own stuff if you want, but *I'm* not going to. :-) – Craig Tullis Dec 18 '16 at 17:52
  • @Craig It needs to be 7 orders of magnitude faster in order to break a strong password before the sun burns out. I am not going to put an effort into configuring any system to use a hash as weak as MD5 today, because old the software I use happen to be using stronger hashes by default. I will however offer to pay you [100 euro](http://kasperd.net/~kasperd/break-my-hash) if you can prove me wrong. – kasperd Dec 18 '16 at 18:29
  • LinkedIn, 140,000,000 passwords cracked, and those were done with SHA-1. Does PayPal work for you? I'm kidding. :) What was the recent breach where 4,000 bcrypt-hashed passwords were discovered within a few days? You'll never win trying to make people use stronger passwords. They will, or they won't. Seriously, though, the newer/stronger algorithms are just so easy to use that I don't see the point in the argument. Anything without salt is just silly. With salt, MD5 is still weaker. No point arguing, time to move on. – Craig Tullis Dec 18 '16 at 18:34
  • @Craig I am not going to defend a statement I didn't make. Pay better attention to what I actually wrote. – kasperd Dec 18 '16 at 19:09
  • Well, you wrote quite a lot, with the general thrust being defense of MD5 for hashing passwords. Don't get so worked up. The point of this discussion is that Yahoo was using straight MD5 hashes for passwords, which was a deplorable, utterly non-secure practice which, frankly for a company at their scale, should probably be actionable. – Craig Tullis Dec 18 '16 at 19:12
  • @Craig I am not defending MD5. I am defending strong passwords and the use of salt in password hashing. If users care about security they are better off assuming websites will store passwords as unsalted MD5 hashes and choose their password accordingly. And there is such a thing as a password that remains secure under such a weak hash. Unsalted MD5 hashes is the weakest way to store passwords where it is still possible for users to compensate for that weakness by choosing a sufficiently strong password. Anything weaker than MD5 and it is already game over. – kasperd Dec 18 '16 at 20:30
21

(Summary is in the last paragraph.)

How long will it take to crack 1 password? Is the time to crack 1 billion, just 1e9 * t?

Imagine I have this hashing algorithm:

function hash(password):
    hash = 0
    foreach character in password:
        hash = hash + toNumber(character)
    return hash

If you call hash("ab") it might return 3, since the first character's numeric value could be 1 and the second could be 2, and it adds them up, resulting in 3.

Now if you have a database full of numbers, like 583, 140, 8582, etc., how long would that take to crack?

In this example, hash("ab") would result in 3 as well as hash("ba"), which is called a collision (two inputs mapping to the same output). In md5 this does not happen so easily. The order matters and you cannot derive any information about the input given the output. Not even the length.

So you have to resort to just trying all possibilities until you find one that gives you the right output. If someone has a strong, random, 20-character password, it could take centuries. But most people use passwords like "horselover49", "letmein" or "penis" (though the latter might be too short), which are much easier to crack.

The reason everyone's complaining about using md5 is because it's fast. But hashing algorithms are made to be fast. MD5 might be broken for other purposes, but it isn't for password hashing. You just shouldn't use a single pass of any hashing algorithm, be it md5 or sha1 or sha512.

Better algorithms, like bcrypt/scrypt/pbkdf2/etc. use a hashing algorithm a million times (among other things). Now instead of being able to run the algorithm once for every guess, you need to run it a million times for each guess. That takes a lot longer, allowing you to try fewer passwords, which better protects weak passwords.

So yeah, the same is going to happen as with other breaches that used MD5: lots of passwords will be cracked. But they won't all be cracked and definitely not in linear time. The stronger ones will take exponentially more time.

Luc
  • 31,973
  • 8
  • 71
  • 135
  • 2
    Won't running MD5 multiple times still be vulnerable to rainbow tables? I'm still getting my head around rainbow tables so I could be way off here. – JimmyJames Dec 15 '16 at 14:48
  • 57
    'But most people use passwords like [...] "penis" (though the latter might be too short)', please tell me that was intended. – Brian H. Dec 15 '16 at 15:40
  • 6
    @Brian some people just can't resist that joke :-) – John Dvorak Dec 15 '16 at 16:01
  • 2
    @JimmyJames Most rainbow tables assume the hash was only calculated once on the original password. You could build a custom rainbow table using a specific number of multiple hashings, but it would really only be useful if the leaked passwords used a matching hash count. That could be hard to predict. You're almost certainly better off just cracking that type of hash. – PwdRsch Dec 15 '16 at 16:32
  • 4
    @Brian Yes[.](http://because.a.tweet.doesnt.fit.lucb1e.com/?text=This+is+to+fill+up+the+minimum+length.) – Luc Dec 15 '16 at 17:17
  • 1
    "Better algorithms, like bcrypt/scrypt/pbkdf2/etc. just use a hashing algorithm a million times." Is that actually true? I was under the impression that algorithms like bcrypt, scrypt, etc. were specifically designed to be more computationally expensive vs. cracking (esp. GPU cracking) than predecessor methods (like MD5) on a round for round basis. Of course, separate and apart from that increasing the number of rounds used can also be an important improvement. – mostlyinformed Dec 16 '16 at 03:37
  • @mostlyinformed Right, that was badly phrased. Pbkdf2 and bcrypt pretty much only iterate as far as I know, but scrypt is memory-hard and argon2 has parameters to control the amount of parallelism and memory. Rephrased the post in a way that is hopefully clear to beginners while also accurate. – Luc Dec 16 '16 at 08:11
  • @PwdRsch, IIRC md5 *specifically* is still vulnerable because of collisions. – redstarcoder Dec 16 '16 at 19:12
  • 2
    @redstarcoder [No](http://security.stackexchange.com/a/19908/10863). Highlights: *"md5 for passwords is a bad idea. Not because of MD5's cryptographic weaknesses, but because it's fast."* and "*an attacker can produce two files with the same hash, if he has control over both of them. But he can't match the hash of an existing file he didn't influence."* (Replace "file" with "password" there.) – Luc Dec 17 '16 at 10:13
  • @JimmyJames rainbow tables available now can go up to 10-ish characters. MD5 returns a 32 character hex string. Rainbow tables for 32 character hex strings would be easier to generate because they have 16 possible characters in use, but there are 32 of them, so these would be massive tables to calculate at this time. Therefore multiple hashes would be harder to retrieve without a comparison DB of cracked passwords. If someone gained access to the box there are easier ways to get the passwords. – AbsoluteƵERØ Dec 17 '16 at 18:38
  • @AbsoluteƵERØ A MD5 hash is 128 bits. You can represent that as 16 bytes, 32 hexadecimal digits, 22 Base64 characters, or any other representation you might want to use. There is absolutely no reason why a rainbow table (which is already going to be large) should double the storage requirements for the hashes compared to what is necessary to represent the data. – user Dec 18 '16 at 14:40
  • @MichaelKjörling He's talking about hashing a hash. Assuming it's 32 digits, the rainbow table would need to contain the 32 digit hash. He's more likely to run into a collision to reverse a double hash than the actual password itself. (More than one phrase can create the same MD5 hash.) That being said, calculating rainbow tables of 32 characters is insane. What do you not understand? – AbsoluteƵERØ Dec 19 '16 at 03:45
  • @AbsoluteƵERØ You wrote that "MD5 returns a 32 character hex string." MD5 does nothing of the sort. MD5 is a way to compute a 128 bit value, which in turn *can be expressed* as 32 hexadecimal digits. It can also be expressed as 16 bytes. – user Dec 19 '16 at 09:17
  • @MichaelKjörling I think I can clear this up. My original question was based on the mistaken idea that rainbow tables take the result of the hash and hash that again, which they almost do except that I forgot about the reduction step which I think it what AbsoluteƵERØ was elaborating on. – JimmyJames Dec 19 '16 at 14:32
  • Thanks Jimmy. @MichaelKjörling Yahoo, the hacked party uses php, primarily, and the md5 function implemented by most PHP programmers is md5(). According to the manual, md5() "returns the hash as a 32-character hexadecimal number." I am well aware that 128-bit values can be written in multiple ways. http://php.net/manual/en/function.md5.php – AbsoluteƵERØ Dec 21 '16 at 06:09
5

Remember that time to start getting usable passwords out of the system is much less than time to find the password of any one particular user. Pick a password, hash it, find all the users whose password hashes to that value (extremely fast if you've previously stored the users in a hashtable keyed by the password hash), repeat. In this large a pile of users, almost any password is likely to have someone using it, and common/sloppy passwords will have many people using them.

user
  • 7,670
  • 2
  • 30
  • 54
keshlam
  • 450
  • 2
  • 6
  • This is only true if the passwords were hashed without salt. If salt is used, no two hashes will match even if you have millions of identical passwords. If you use a slow enough password hashing algorithm (bcrypt, scrypt or even pbkdf2), then brute-force guessing one password hash at a time will be slow enough to hopefully give users enough time after the discovery of a breach to change their passwords on the live sites so that the brute-forced passwords are no good to the bad guys. Especially for users who chose long, strong passwords to begin with. – Craig Tullis Dec 18 '16 at 17:58
3

We don't know without additional information.

First, it has been said "they used MD5". Taking a password and hashing it with MD5 is very, very fast. As has been said, there are machines that can make 28 billion password guesses and calculate MD5 hash codes per second. That would be bad. However, they might have used multiplie rounds of hashing with MD5. They might have hashed the password, then hashed the result of further million times. Now the number of passwords that can be guessed and the hash calculated is "only" 28,000 per second.

Second, we need to know whether the passwords were "salted". "Salted" password means that for every user, a different "salt" is added to the password. For example, if I stupidly used the password 1234 and you stupidly used the same password, then our "real" passwords might be k39fja0eflaei-1234 and oe0vnda9afnlad-1234. So even if my password is cracked, this doesn't help cracking your password. Every password has to be cracked individually.

With unsalted passwords, each of the 28,000 password guesses will succeed if any of the billion users used that password. So with a few billion guesses, all the easier passwords will be cracked. With salted passwords, it takes a few billion guesses will only get you a few easy passwords. But if they used plain MD5, then 28 billion password guesses per second will crack things quite quickly, even with salting.

gnasher729
  • 1,823
  • 10
  • 14