Some thoughts on usage of the MD5 Hash for password storage
Published by Evil Bee Wednesday, 13 August 2008 09:21
The Wikipedia entry for MD5 http://en.wikipedia.org/wiki/MD5 details the vulnerabilites and suggests that several websites now offer online databases to reverse MD5 hashes into text that will generate the same hash.
The examples of MD5 hashes from Wikipedia generate the following collision passwords when entered into http://www.bisix.tk/
MD5("The quick brown fox jumps over the lazy dog") = 9e107d9d372bb6826bd81d3542a419d6
Bisix database password: "The quick brown fox"
MD5("The quick brown fox jumps over the lazy cog") = 1055d3e698d289f2af8663725127bd4b
Bisix database password: "The quick brown fox"
I'm not exactly sure how these two identical recovered passwords are supposed to generate two separate collisions, however I am sure some password matches will be correct.
Another example MD5 hash I found was on the following site: http://www.obviex.com/samples/hash.aspx
It took the format of "SC4LSYSAkKILp2rPW1ZVpOP1WK7g". This was no problem for Bisix which simply suggested the correct one it needed was "65ded5353c5ee48d0b7d48c591b8f430" and returned a password of: "132"
It is reasonably well documented that MD5 is insecure, and one of the SHA hashing functions is now prefered for added security. However, in many low security environments (ie. to stop casual viewing or stealing of passwords) MD5 will still suffice. For example, it still protects a users actual password, and even if a working password is discovered and compromised on one website, then assuming the original password is hashed with a salt value unique to that website, then the working collision password won't automatically work on *all* sites.
Consider the following:
User: SamePasswordEveryWhere
Password: password
MD5 hash: 5f4dcc3b5aa765d61d8327deb882cf99
(correctly recovered by Bisix as "password")
Website 1:
Salt Value: creation date/time (perhaps date + password + time)
Password: 20050528password16:39
MD5 hash: 238f0191ad7a0edb940f334c7575c539
(not recovered by Bisix - even using Rainbow Table lookup)
Website 2:
Salt Value: customer number
Password: 25468password
MD5 hash: 2500de8bb45ce345a0a30d60efa42b5a
(not recovered by Bisix - even using Rainbow Table lookup)
Hopefully this will demonstrate that even if a collision password had been found it is unlikely to be the users actual password. e.g. if the website 1 collision password was "catdogmouse1" then the website 2 collision password may be "threealphatango32" ... so those passwords would allow access to the respective sites, however the real password for the user is still unknown. Note though, if a cracker reverse the exact salted password it would likely be obvious that the password is "password" + salt value.
Bottom line: salting hashes still increases security against cracking. It may be best practice to use non-alphanumeric characters. For example the website http://passcracking.com/ states that they were able to break various passwords:
This project is dedicated to crack md5 hashes online through web interface. At the moment we can crack md5 hashes in this character range: a-z;0-9 [8] which means we can break almost all hashes (99.56%) which are created from lowercase plaintext with letters and/or digits up to length of 8 characters. ... NOTE: This project won't be able to break salted md5 hashes which are used in *nix systems in /etc/shadow files. They won't appear in the list. Only "clean" md5 hashes. Read more about technology behind this project in homepage of RainbowCrack!
Finally, if you want to know more technical details then you can read How to Break MD5 and Other Hash Functions by Xiaoyun Wang and Hongbo Yu.