{"id":449,"date":"2021-06-22T10:39:52","date_gmt":"2021-06-22T08:39:52","guid":{"rendered":"https:\/\/infosecscout.com\/?p=449"},"modified":"2023-11-22T13:02:15","modified_gmt":"2023-11-22T12:02:15","slug":"is-md5-easy-to-crack","status":"publish","type":"post","link":"https:\/\/infosecscout.com\/is-md5-easy-to-crack\/","title":{"rendered":"Is MD5 Easy to Crack? (and how long does it really takes)"},"content":{"rendered":"\n<p>Many legends are discussed about the MD5 algorithm, but it&#8217;s time to break the myths and talk about real facts. Is the MD5 algorithm still safe to store passwords? That&#8217;s what we&#8217;ll see in this article.<\/p>\n\n\n\n<p><strong>The MD5 algorithm is no longer considered safe to store passwords, as it&#8217;s coming more and more easy to crack them. As an example, it&#8217;s possible to brute force an 8-characters password in a few minutes. <\/strong><\/p>\n\n\n\n<p>The short answer is that MD5 is becoming easier and easier to crack. I&#8217;ll explain why in this article, how the hackers are doing this, and what you can do against it.<\/p>\n\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_65 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title \" >Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 eztoc-toggle-hide-by-default' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/infosecscout.com\/is-md5-easy-to-crack\/#Can_you_crack_MD5\" title=\"Can you crack MD5?\">Can you crack MD5?<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/infosecscout.com\/is-md5-easy-to-crack\/#How_safe_is_MD5_hash\" title=\"How safe is MD5 hash?\">How safe is MD5 hash?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/infosecscout.com\/is-md5-easy-to-crack\/#How_long_does_it_take_to_crack_MD5_passwords\" title=\"How long does it take to crack MD5 passwords?\">How long does it take to crack MD5 passwords?<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/infosecscout.com\/is-md5-easy-to-crack\/#How_MD5_decryption_works\" title=\"How MD5 decryption works?\">How MD5 decryption works?<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/infosecscout.com\/is-md5-easy-to-crack\/#Brute-force_attacks\" title=\"Brute-force attacks\">Brute-force attacks<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/infosecscout.com\/is-md5-easy-to-crack\/#MD5_databases\" title=\"MD5 databases\">MD5 databases<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/infosecscout.com\/is-md5-easy-to-crack\/#What_are_alternatives_to_MD5\" title=\"What are alternatives to MD5?\">What are alternatives to MD5?<\/a><\/li><\/ul><\/nav><\/div>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Can_you_crack_MD5\"><\/span>Can you crack MD5?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p><strong>The MD5 algorithm is a one-way hash function, it&#8217;s not reversible. So, there is no direct method to decrypt a hash and get back the original password. <\/strong><\/p>\n\n\n\n<p>But it doesn&#8217;t mean that MD5 is safe, we&#8217;ll see why.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"How_safe_is_MD5_hash\"><\/span>How safe is MD5 hash?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p><strong>In 2005, Bruce Schneier, an American cryptographer, declared that the MD5 algorithm was broken. The main reason was that collisions has been detected in the hash function.<\/strong><\/p>\n\n\n\n<p>That&#8217;s still an issue today, but not the only one. With the high improvements in the computer technology, there is another important one: speed. MD5 has been designed to be particularly fast to use, and that&#8217;s made its success.<\/p>\n\n\n\n<p>You can convert thousands of passwords to MD5 hashs in a few seconds, so the system can have a great response time. It was an important factor at the beginning of the Internet. But now, this strengh plays against it.<\/p>\n\n\n\n<p>MD5 is too exposed to brute force attacks. With current GPU, computers can quickly generate billions of MD5 hash from random words until they find the corresponding one. That&#8217;s the principle of brute force attacks (<a rel=\"noreferrer noopener\" href=\"https:\/\/infosecscout.com\/how-to-brute-force-a-password\/\" data-type=\"post\" data-id=\"56\" target=\"_blank\">as explained in this article<\/a>).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"How_long_does_it_take_to_crack_MD5_passwords\"><\/span>How long does it take to crack MD5 passwords?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p><strong>With the current technology, it takes a computer 8 hours to crack a complex 8-characters password (numbers, upper and lowercase letters, symbols). <\/strong><\/p>\n\n\n\n<p>So, that&#8217;s pretty fast. The computer will try every combination until finding the correct one. And it doesn&#8217;t really take much longer if there is a huge list of passwords to crack. Each combination is converted to the corresponding MD5 hash and compared to the whole list in no time.<\/p>\n\n\n\n<p>The best way to protect you against this is to use long passwords. Complexity had a bit of time, but password length is the main factor. To be safe, never use a password shorter than 15 characters. A passphrase like &#8220;ILoveMD5Online.org&#8221; will be much complicated to crack than &#8220;56%AfZ@&#8221;, and also way easier to remember.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1000\" height=\"1000\" src=\"https:\/\/infosecscout.com\/wp-content\/uploads\/2021\/06\/time-to-crack-passwords.jpg\" alt=\"\" class=\"wp-image-450\" srcset=\"https:\/\/infosecscout.com\/wp-content\/uploads\/2021\/06\/time-to-crack-passwords.jpg 1000w, https:\/\/infosecscout.com\/wp-content\/uploads\/2021\/06\/time-to-crack-passwords-300x300.jpg 300w, https:\/\/infosecscout.com\/wp-content\/uploads\/2021\/06\/time-to-crack-passwords-150x150.jpg 150w, https:\/\/infosecscout.com\/wp-content\/uploads\/2021\/06\/time-to-crack-passwords-768x768.jpg 768w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><\/figure>\n\n\n\n<p>This infographic From <a rel=\"noreferrer noopener\" href=\"https:\/\/www.hivesystems.io\/blog\/are-your-passwords-in-the-green\" target=\"_blank\">Hive Systems<\/a> shows how much time the computer needs to crack your password, depending on its length and complexity. Remember that technology improve fast and hackers can use supercomputers if the attack is worth it (with companies password for example). <\/p>\n\n\n\n<p>To know if your password is safe enough, you can use <a href=\"https:\/\/www.security.org\/how-secure-is-my-password\/\" target=\"_blank\" rel=\"noreferrer noopener\">this tool<\/a> that has been used to generate this table. It will show you how much time will be required to crack your password.<\/p>\n\n\n\n<p>How to use safer passwords?<\/p>\n\n\n\n<pre class=\"wp-block-verse\"><strong>As a whole, use long passwords with character variety (always one symbol at least), don't user real words. Use a different password on each website or application. A password manager can help you to keep them safely, don't store them anywhere else.<\/strong><\/pre>\n\n\n\n<p>Anyway, that&#8217;s not the goal of this article, but it was an important reminder. MD5 is not safe, but using short passwords  won&#8217;t be safe, whatever the algorithm used by the developer.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"How_MD5_decryption_works\"><\/span>How MD5 decryption works?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p><strong>As there is no reverse function to decrypt a MD5 hash, MD5 decryption doesn&#8217;t exist. But techniques like brute-force or dictionary attacks are really efficient to have the same result. The idea is to hash a huge number of words into MD5, and try to find a match.<\/strong><\/p>\n\n\n\n<p><a href=\"https:\/\/infosecscout.com\/how-md5-decryption-works\/\" data-type=\"post\" data-id=\"31\">I have an entire article on this topic<\/a> that you can read for more details, but I&#8217;ll give you a summary here.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Brute-force_attacks\"><\/span>Brute-force attacks<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>The first way to decrypt an MD5 hash is to brute force it.<br>A brute force attacks goal is to try many words, convert them into MD5, and check if the MD5 hash is corresponding to what we are looking for.<\/p>\n\n\n\n<p>In general, you&#8217;ll start with the shortest password (example: &#8220;a&#8221;), convert it to a MD5 and see if there is a match. If not, you continue with the next possibility. Computers can do this for days until they find a match, it doesn&#8217;t require any human interaction. <\/p>\n\n\n\n<p>The hacker will just check from time to time if there are new results, and continue from there, if he has find something interesting.<\/p>\n\n\n\n<p>If you want to try this on your computer, <a href=\"https:\/\/infosecscout.com\/hashcat-tutorial-decrypt-md5\/\" data-type=\"post\" data-id=\"193\" target=\"_blank\" rel=\"noreferrer noopener\">you can read this article<\/a>, where I give you a tool you can use. You&#8217;ll better understand how powerful these techniques is by seeing it running on your PC.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"MD5_databases\"><\/span>MD5 databases<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>An MD5 database use the same principle, but will store each hash in a file. This way, it&#8217;s possible to quickly check matches against a file containing lots of MD5 hashes. <\/p>\n\n\n\n<p>If a hacker is doing this regularly, it could increase the speed by having a database containing the most common passwords, for example.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"What_are_alternatives_to_MD5\"><\/span>What are alternatives to MD5?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p><strong>MD5 is considered broken, but it&#8217;s not the only one, SHA1 has the same problems. Overall, the current recommendation is to use stronger algorithms like SHA-256, but other options are possible like bcrypt.<\/strong><\/p>\n\n\n\n<p>If you are a bit lost to choose a safer solution, I have a few articles that should help you to do just this:<\/p>\n\n\n\n<ul>\n<li><a href=\"https:\/\/infosecscout.com\/md5-vs-sha256\/\" data-type=\"post\" data-id=\"365\">MD5 vs SHA256: Which is Better? (Speed, Safety, \u2026)<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/infosecscout.com\/difference-md5-sha1\/\" data-type=\"post\" data-id=\"116\">What\u2019s the difference Between MD5 and SHA1?<\/a><\/li>\n<\/ul>\n\n\n\n<p>Also, I highly recommend using salt to store passwords, whatever your choice for the hashing algorithm, it will highly decrease the chance of your passwords to be cracked. With a good salt, databases attack won&#8217;t be as efficient, and brute-force attacks will take much more time. <\/p>\n\n\n\n<p>Don&#8217;t know <a rel=\"noreferrer noopener\" href=\"https:\/\/infosecscout.com\/md5-salt-hash\/\" data-type=\"post\" data-id=\"42\" target=\"_blank\">what is salt in cryptography?<\/a> Read my article here to quickly get the main idea. After that, you just need to find the best way to implement it depending on the technology you use.<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Many legends are discussed about the MD5 algorithm, but it&#8217;s time to break the myths and talk about real facts. Is the MD5 algorithm still safe to store passwords? That&#8217;s what we&#8217;ll see in this article. The MD5 algorithm is no longer considered safe to store passwords, as it&#8217;s coming more and more easy to&#8230;<\/p>\n","protected":false},"author":1,"featured_media":453,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_kad_blocks_custom_css":"","_kad_blocks_head_custom_js":"","_kad_blocks_body_custom_js":"","_kad_blocks_footer_custom_js":"","_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"footnotes":""},"categories":[15],"tags":[],"taxonomy_info":{"category":[{"value":15,"label":"Hacking"}]},"featured_image_src_large":["https:\/\/infosecscout.com\/wp-content\/uploads\/2021\/06\/is-md5-easy-to-crack-1024x683.jpg",1024,683,true],"author_info":{"display_name":"Patrick Fromaget","author_link":"https:\/\/infosecscout.com\/about\/"},"comment_info":1,"category_info":[{"term_id":15,"name":"Hacking","slug":"hacking","term_group":0,"term_taxonomy_id":15,"taxonomy":"category","description":"Ready to level up? Our Hacking Guides have you covered with step-by-step instructions on using tools like Hashcat. It's hacking made simple and fun!","parent":0,"count":15,"filter":"raw","cat_ID":15,"category_count":15,"category_description":"Ready to level up? Our Hacking Guides have you covered with step-by-step instructions on using tools like Hashcat. It's hacking made simple and fun!","cat_name":"Hacking","category_nicename":"hacking","category_parent":0}],"tag_info":false,"_links":{"self":[{"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/posts\/449"}],"collection":[{"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/comments?post=449"}],"version-history":[{"count":4,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/posts\/449\/revisions"}],"predecessor-version":[{"id":826,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/posts\/449\/revisions\/826"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/media\/453"}],"wp:attachment":[{"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/media?parent=449"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/categories?post=449"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/tags?post=449"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}