16

A professor told us today, that MD5 is weak. I understand his chain of thought but pointed out, that IMHO MD5 is a good way to go if you would use a long (even really long) dynamic salts and static pepper.

He stared at me and said NO!

IMHO the possibility to "brute-force" a md5 hash with a any dictionary is even simple. If you would use a dynamic/various salt it would be hardened to get a match with a complexity of O(2^n) and if I use a pepper before and after my salted password hash it would be not 100% safe but could take a long while to compute it..

ack__
  • 2,728
  • 14
  • 25
Alex Tape
  • 263
  • 1
  • 2
  • 6

2 Answers2

32

There are lots of known cryptographic weaknesses in MD5 which make it unusable as a message digest algorithm, but not all of these also apply in the context of password hashing. But even when we assume that these do not exist, MD5 is still a bad password hashing algorithm for one simple reason: It's too fast.

In any scenario where an attacker obtained the hashed passwords, you have to assume that they also obtained the salt of each password and the pepper.

The only reason to use a pepper is so you can't use a rainbow table precomputed before the attack, because you need a different one for each database. The only reason to use a salt is so you can't use the same rainbow table for the whole password database, because the same password for two different accounts will have a different hash.

The length of pepper and salt don't matter that much. Their only purpose is to make sure that each value is unique. More length doesn't make the attack notably harder (there is more data to hash, but that's a linear increase at most).

Bottom line is, a short salt is all that is needed to make sure that the attacker has to brute-force all possible passwords to find the correct hash for every single account.

And that's where MD5's weakness comes into play: It's a fast and memory-conserving algorithm. That means an attacker can compute the hash of a large number of passwords per second. Using specialized hardware (like FPGA arrays or ASICs) worth a few thousand dollar you can compute the hashes of all possible 8-character passwords for a given salt in mere hours.

For better security, use a slow algorithm like bcrypt. It means that your system needs some more CPU cycles to authenticate users, but the payoff is usually worth it because an attacker will also need a whole lot more processing power to brute-force your password database should they obtain it.

Philipp
  • 48,867
  • 8
  • 127
  • 157
  • Hi, if the only problem of MD5 as a password hash function is its efficiency, wouldn't increasing the iteration count provide enough security ? – Hey Apr 07 '16 at 07:17
  • 2
    @YdobEmos No. The problem is that MD5 is *It's a fast and memory-conserving algorithm*. Even if there was a point where enough iterations could secure it *today*, it would quickly fall to the rapidly rise of computing power and the falling cost of hardware. In other words, MD5 is fundamentally flawed. By contrast, [bcrypt is significantly slower, and thus exceptionally difficult to break](http://arstechnica.com/security/2015/08/cracking-all-hacked-ashley-madison-passwords-could-take-a-lifetime/) – Machavity Sep 01 '16 at 14:29
  • 2
    Is there something preventing someone from setting an MD5 iteration count big enough to make it as slow as bcrypt ? I know for the memory consumption, but I can't see the problem with the CPU usage. Does that have something to do with bcrypt's design that would prevent it from being accelerated, with GPUs for example ? – Hey Sep 01 '16 at 18:09
13

The severity of the danger in using MD5 depends on what you're using it for, but there's no compelling reason to use it at all.

MD5 absolutely must not be used for signatures because it is possible (and continues to become more possible over time) to circumvent the protections offered by signing when MD5 is used.

If, on the other hand, your purpose is whitening random data to get a more consistent distribution of ones and zeroes, then MD5 is as good as it ever was. Note that this is not a security-sensitive operation; there is no attack vector because there is no target, nothing to be gained or lost through knowledge of the algorithm, just a simple transformation where the output is truly random because the input is truly random.

Somewhere in between these two extremes you'll find all other operations. As the sensitivity of what you're doing and your dependence on the irreversibly of the cryptographic hash increases, so the danger in using MD5 also increases.

But the best reason to not use MD5 is the same as the best reason for not using triple-DES: There are better options available, and no advantage to use the old algorithm. MD5 is dead; it might be useful in certain limited circumstances, but the better option is to avoid it entirely so as to not accidentally use it in a place where security matters.

tylerl
  • 82,225
  • 25
  • 148
  • 226