{"id":53,"date":"2019-02-11T06:51:26","date_gmt":"2019-02-11T05:51:26","guid":{"rendered":"https:\/\/infosecscout.com\/?p=53"},"modified":"2023-11-22T13:02:28","modified_gmt":"2023-11-22T12:02:28","slug":"why-md5-is-not-safe","status":"publish","type":"post","link":"https:\/\/infosecscout.com\/why-md5-is-not-safe\/","title":{"rendered":"3 Reasons why MD5 is not Secure"},"content":{"rendered":"\n<p>You probably already read that information, and you know that\u00a0MD5 is not the\u00a0most secure hashing function<br>But do you know why? Do you know safer alternatives?<br>This is what I&#8217;ll explain you today.<\/p>\n\n\n\n<p>Why is MD5 not secure?<br><strong>MD5 is a cryptographic algorithm, often used to store passwords in a database<\/strong><br><strong>But this algorithm is no longer safe<\/strong><br><strong>Brute force attacks are faster than ever, dictionary tables are big and there are other potential problems with the MD5 algorithm<\/strong><\/p>\n\n\n\n<p>I&#8217;ll explain all of this in this article.<\/p>\n\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_64 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title \" >Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 eztoc-toggle-hide-by-default' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/infosecscout.com\/why-md5-is-not-safe\/#What_is_MD5\" title=\"What is MD5?\">What is MD5?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/infosecscout.com\/why-md5-is-not-safe\/#Why_is_MD5_not_secure\" title=\"Why is MD5 not secure?\">Why is MD5 not secure?<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/infosecscout.com\/why-md5-is-not-safe\/#1_%E2%80%93_Brute_force_attacks_on_MD5_hashes_are_fast\" title=\"1 &#8211; Brute force attacks on MD5 hashes are fast\">1 &#8211; Brute force attacks on MD5 hashes are fast<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/infosecscout.com\/why-md5-is-not-safe\/#2_%E2%80%93_MD5_dictionary_tables_are_big\" title=\"2 &#8211; MD5 dictionary\u00a0tables are big\">2 &#8211; MD5 dictionary\u00a0tables are big<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/infosecscout.com\/why-md5-is-not-safe\/#3_%E2%80%93_MD5_has_collisions\" title=\"3 &#8211; MD5 has collisions\">3 &#8211; MD5 has collisions<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/infosecscout.com\/why-md5-is-not-safe\/#What_are_the_solutions\" title=\"What are the solutions?\">What are the solutions?<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/infosecscout.com\/why-md5-is-not-safe\/#Use_salt\" title=\"Use salt\">Use salt<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/infosecscout.com\/why-md5-is-not-safe\/#Long_passwords\" title=\"Long passwords\">Long passwords<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/infosecscout.com\/why-md5-is-not-safe\/#Other_hash_functions\" title=\"Other hash functions\">Other hash functions<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/infosecscout.com\/why-md5-is-not-safe\/#Conclusion\" title=\"Conclusion\">Conclusion<\/a><\/li><\/ul><\/nav><\/div>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"What_is_MD5\"><\/span>What is MD5?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p><strong>MD5 is a cryptographic algorithm, often used to store passwords in a database.<br>In the early days of the Internet, websites mostly kept clear text passwords in their databases.<br>It wasn&#8217;t a good solution, so developers used\u00a0MD5 to obfuscate the password in the database.<\/strong><\/p>\n\n\n\n<p>MD5 is an algorithm that produce a 32 characters hexadecimal string from any password, phrase or text.<br>For example, if your password is &#8216;qwerty&#8217; (bad idea), in the database you&#8217;ll have\u00a0d8578edf8458ce06fbc5bb76a58c5ca4.<\/p>\n\n\n\n<p>That way, IT staff can&#8217;t see your password, and if someone stole the database, they don&#8217;t get all the passwords directly.<br>Today,\u00a0it&#8217;s still not immediate to decrypt passwords, but not so far.<br>I&#8217;ll explain why in the next parts, and why you must find another way to store passwords.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Why_is_MD5_not_secure\"><\/span>Why is MD5 not secure?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"1_%E2%80%93_Brute_force_attacks_on_MD5_hashes_are_fast\"><\/span>1 &#8211; Brute force attacks on MD5 hashes are fast<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p><strong>A brute force attack is a way to find a password by trying many possibilities.<br><\/strong>Either by guessing what the user could have used (birthdate, the child&#8217;s names, pet names, &#8230;), or by trying everything (from a,b,c to 10 characters passwords with special characters).<\/p>\n\n\n\n<p>The MD5 algorithm is fast to use.<br>So in a few seconds you can try many combinations.<\/p>\n\n\n\n<p>20 years ago, it could take years to find a password for the world&#8217;s most powerful computers<br>Today, everyone has a super-computer at home, with improvements in the processor and graphics processor,\u00a0 we can decrypt &#8220;secure&#8221; passwords in a few days maximum.<br><strong>The best computers can try billions of passwords every second<\/strong> (source: <a rel=\"noopener noreferrer\" href=\"https:\/\/www.zdnet.com\/article\/25-gpus-devour-password-hashes-at-up-to-348-billion-per-second\/\" target=\"_blank\">ZDNet<\/a>).<\/p>\n\n\n\n<p>The only resistance to the brute force attacks are probably the password length.<br>If you have a 40 characters long random password, with special characters, you&#8217;re probably safe for the moment<br>But for how much longer?<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"2_%E2%80%93_MD5_dictionary_tables_are_big\"><\/span>2 &#8211; MD5 dictionary\u00a0tables are big<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p><strong>On MD5Online we like the dictionary tables.<br>By storing over 1,150 billion passwords in our database, <a rel=\"noopener noreferrer\" href=\"https:\/\/www.md5online.org\/md5-decrypt.html\" target=\"_blank\">we can give you an answer in a few seconds<\/a> for any hash<\/strong>.<\/p>\n\n\n\n<p>That&#8217;s the second problem with the MD5 algorithm.<br>It is so widely used that huge databases like this have been created over the years.<br>If your password is inside (and there is a good chance\u00a0if you have a &#8220;short&#8221; password), your accounts are not safe at all.<\/p>\n\n\n\n<p>As for the brute force method, the only way to be safe is to use a long random password with special characters.<br>There are too many possibilities\u00a0to have it in this kind of database.<br>Database like this are taking a lot of disk space. Even if it&#8217;s cheaper and cheaper over the years, it&#8217;s still an obstacle.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"3_%E2%80%93_MD5_has_collisions\"><\/span>3 &#8211; MD5 has collisions<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p><strong>The MD5 algorithm has also proven issues within its cryptographic method.<br>A collision is when two words have the same hash generated.<br>Safe algorithms have a good collision resistance.<\/strong><\/p>\n\n\n\n<p>That&#8217;s to say that\u00a0you have low chances to get the same hash for different words.<br>But MD5 has a low collision resistance.<\/p>\n\n\n\n<p>So if you know that\u00a0&#8220;abc&#8221; and &#8220;def&#8221; have the same generated hash (just an example).<br>You can say that\u00a0&#8220;123abc&#8221; and &#8220;123def&#8221; have also the same hash generated.<br>And this is a bad property for a cryptographic hash functions as you can guess a lot of derived words.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"What_are_the_solutions\"><\/span>What are the solutions?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Now that\u00a0you know why MD5 is not safe, what can you do to improve your database security.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Use_salt\"><\/span>Use salt<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p><strong>The first thing you can try is to use salt while encrypting passwords.<br><\/strong>I already wrote an article about this: <a rel=\"noopener noreferrer\" href=\"https:\/\/infosecscout.com\/md5-salt-hash\/\" target=\"_blank\">What is an MD5 salt and how to use it?<\/a><br>Check it if you want to learn more about this.<\/p>\n\n\n\n<p><strong>Basically, a salt is a word you&#8217;ll add before and\/or after each password.<br><\/strong>If your salt is &#8220;randomsaltformypassword&#8221; and the user\u00a0choose &#8220;qwerty&#8221; as a password, you&#8217;ll use &#8220;randomsaltformypasswordqwerty&#8221;\u00a0as the MD5 function parameter.<\/p>\n\n\n\n<p>That way you are encrypting a much longer password in your database, and it will be harder for a hacker to find the corresponding password.<br>Make sure to choose a long salt to improve security enough.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Long_passwords\"><\/span>Long passwords<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"450\" src=\"https:\/\/infosecscout.com\/wp-content\/uploads\/2021\/04\/passwords.jpg\" alt=\"\" class=\"wp-image-298\" srcset=\"https:\/\/infosecscout.com\/wp-content\/uploads\/2021\/04\/passwords.jpg 800w, https:\/\/infosecscout.com\/wp-content\/uploads\/2021\/04\/passwords-300x169.jpg 300w, https:\/\/infosecscout.com\/wp-content\/uploads\/2021\/04\/passwords-768x432.jpg 768w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><\/figure>\n\n\n\n<p><strong>Another solution is to force users to use a longer password (maybe 15 characters or more).<br><\/strong>You can also add passwords complexity to make sure they are using uppercase, lowercase and special characters.<\/p>\n\n\n\n<p>But be careful, people will often use weak passwords, even if you implement all of this.<br>&#8220;ILoveMyCompany!&#8221; is a 15 character password with a special character, but it&#8217;s easy to guess.<br>Or even worse, they will note the password on a post-it note near the computer:)<\/p>\n\n\n\n<p>Here is a great tool you can use to <a rel=\"noreferrer noopener\" href=\"https:\/\/webinpact.com\/password-generator\/\" target=\"_blank\">generate easy-to-remember long passwords<\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Other_hash_functions\"><\/span>Other hash functions<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p><strong>Probably the best solution is to use another cryptographic algorithm.<br><\/strong>This is not the easiest because you probably have to change your database structure, but it could be the safest.<\/p>\n\n\n\n<p>I&#8217;ll not give you too many examples as if you are reading these lines in ten years it could have changed.<br>But today, the password_hash() function in PHP seems a good idea (<a rel=\"noopener noreferrer\" href=\"http:\/\/php.net\/manual\/en\/function.password-hash.php\" target=\"_blank\">check the documentation<\/a>).<br>Or maybe bcrypt or scrypt with a salt and enough iterations are also a good solution.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Conclusion\"><\/span>Conclusion<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>That&#8217;s it, you now know why the MD5 algorithm is no longer safe to use for password encryption<br>And I also give you other alternatives to improve your database security.<\/p>\n\n\n\n<p>Try to keep up to date with the latest security news, there are new breaches every day, and this article can quickly become obsolete.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>You probably already read that information, and you know that\u00a0MD5 is not the\u00a0most secure hashing functionBut do you know why? Do you know safer alternatives?This is what I&#8217;ll explain you today. Why is MD5 not secure?MD5 is a cryptographic algorithm, often used to store passwords in a databaseBut this algorithm is no longer safeBrute force&#8230;<\/p>\n","protected":false},"author":1,"featured_media":77,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_kad_blocks_custom_css":"","_kad_blocks_head_custom_js":"","_kad_blocks_body_custom_js":"","_kad_blocks_footer_custom_js":"","_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"footnotes":""},"categories":[14],"tags":[],"taxonomy_info":{"category":[{"value":14,"label":"Security"}]},"featured_image_src_large":["https:\/\/infosecscout.com\/wp-content\/uploads\/2019\/02\/Vignette-MD5-1.png",292,133,false],"author_info":{"display_name":"Patrick Fromaget","author_link":"https:\/\/infosecscout.com\/about\/"},"comment_info":0,"category_info":[{"term_id":14,"name":"Security","slug":"security","term_group":0,"term_taxonomy_id":14,"taxonomy":"category","description":"Check out our easy-to-follow tips and facts in Security Information. Learn how passwords work and more, all explained in a way that's easy to understand.","parent":0,"count":21,"filter":"raw","cat_ID":14,"category_count":21,"category_description":"Check out our easy-to-follow tips and facts in Security Information. Learn how passwords work and more, all explained in a way that's easy to understand.","cat_name":"Security","category_nicename":"security","category_parent":0}],"tag_info":false,"_links":{"self":[{"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/posts\/53"}],"collection":[{"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/comments?post=53"}],"version-history":[{"count":8,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/posts\/53\/revisions"}],"predecessor-version":[{"id":301,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/posts\/53\/revisions\/301"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/media\/77"}],"wp:attachment":[{"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/media?parent=53"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/categories?post=53"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/tags?post=53"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}