2

I'm not a security expert but I've got interested in Cryptography and I'm reading about it.

I was trying to find out which is the best between SHA256, Bcrypt and MD5 when it comes to hashing passwords and apparently SHA256 is fast, and MD5 has collusion bug If I understood correctly, and It should not be used at all.

So I'm left with Bcrypt which looks like the best option since It's slower and that is better when it comes to brute force attacks.

My question is, regarding MD5, what is this collision attack it has and how bad is it?

Csharpnewbie
  • 33
  • 1
  • 3
  • 1
    It should be easy to find out what a collision attack is, for example by reading [Wikipedia: Collision attack](https://en.wikipedia.org/wiki/Collision_attack). To cite: *"Mathematically stated, a collision attack finds two different messages m1 and m2, such that hash(m1) = hash(m2)"*. Apart from that collisions at the level MD5 allows (i.e. nearly impossible to have an accidental collision) are not relevant in the context of password hashing. – Steffen Ullrich Dec 18 '18 at 18:04
  • You can use Argon2 as PBKDF3, and see also this quesion [how to securely hash passwords](https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords/31846#31846) – kelalaka Dec 18 '18 at 20:36

1 Answers1

7

Collision attacks aren't an issue when dealing with password hashes. The issue with both SHA256 and MD5, from a password hashing perspective is that they're both much too fast. MD5 is quite a bit faster than SHA256, in fact.

To clarify what a collision attack is, and why it doesn't matter when dealing with password hashes, it is when a hash function allows an attacker to find two inputs that result in the same hash value. The fact that the attacker can control and manipulate both inputs in order to find a colliding value is critical. When you have a password hashing system, however, the attacker does not have to ability to control the first input. The password creator controls the first input. The attacker only has the resulting hash value from the first input, and the ability to attempt to create a matching hash from a second input which they do control. If they can find a second input that creates an identical hash, this is not a collision attack, but a 2nd pre-image attack, and not even MD5 is susceptible to these.

So, ultimately, the speed is the only issue, in that people choose passwords poorly, and the speed with with an MD5 hash can be computed is rapid enough for an attacker to attempt many, many potential input candidates in order to find the one the results in the password hash.

Xander
  • 35,525
  • 27
  • 113
  • 141