Why do people still use/recommend MD5 if it has been proven weak since 1996?

  • It's still a commonly recommended way of hashing passwords, even if its insecurity had been proven in 1996:

    Therefore we suggest that in the future MD5 should no longer be implemented in applications like signature schemes, where a collision-resistant hash function is required. According to our present knowledge, the best recommendations for alternatives to MD5 are SHA-1 and RIPEMD-160.

    (The Status of MD5 After a Recent Attack, CryptoBytes, RSA Laboratories, VOLUME 2, NUMBER 2 — SUMMER 1996)

    Even after this study, and all upcoming papers about its defects, it has been recommended as a password hashing function in web applications, ever since.

    It is even used in some Certification Authorities digital signature (according to rhmrisk link below )

    What is the reason why this message digest algorithm has not been prohibited for security purposes?


    Links:

    This question feels awfully close to being a rant, from my perspective. Can you re-phrase it into a factual question? Please make sure to document all your premises/assumptions.

    @Ramhound If you google eg. starter guide to securing PHP web application, 80-95% will use MD5 without giving out notice that this way is insecure.

    @MarekSebera - I don't use random sources in order to learn how to write good `secure` code. I use sources I known to use good programming concepts. I did a search for `starter guide to securing PHP web applications` the first article didn't suggest MD5.

    @Ramhound The cited text says nothing about passwords. There is no known vulnerability in MD5 that would prevent it from being used **for password hashing**.

    In the 9 years since you posted those links, most of them have aged out or they no longer apply (they do not mention using MD5).

    @schroeder sorry, overlooked, thank you for removing links that no longer work

  • To complement the good answer from @D.W.: for password hashing, MD5 is no more broken than any other hash function (but don't use it nonetheless).


    The full picture: MD5 is a cryptographic hash function which, as such, is expected to fulfill three characteristics:

    • Resistance to preimages: given x, it is infeasible to find m such that MD5(m) = x.
    • Resistance to second-preimages: given m, it is infeasible to find m' distinct from m and such that MD5(m) = MD5(m').
    • Resistance to collisions: it is infeasible to find m and m', distinct from each other, and such that MD5(m) = MD5(m').

    MD5 is thoroughly broken with regards to collisions, but not for preimages or second-preimages. Moreover, the 1996 attack (by Dobbertin) did not break MD5 at all; it was a "collision on the compression function", i.e. an attack on one of the internal elements of MD5, but not the full function. Cryptographers took it as a warning flag, and they were right because the actual collision attack which was published in 2004 (by Wang) was built from the findings of Dobbertin. But MD5 was broken only in 2004, not 1996, and it was a collision attack.

    Collisions are not relevant to password hashing security. Most usages of a hash function for password hashing depend on either preimage resistance, or on other properties (e.g. how well the hash function work when used within HMAC, something which cannot be reduced to any of the properties above). MD5 has actually been "weakened" with regards to preimages, but only in a theoretical way, because the attack cost is still billions of billions of times too expensive to be really tried (so MD5 is not "really" broken with regards to preimages, not in a practical way).

    But don't use MD5 anyway. Not because of any cryptographic weakness, but because MD5 is unsalted and very fast. That's exactly what you do not want in a password hashing function. People who "recommend MD5" for password hashing just don't know any better, and they are a testament to a Truth which you should always keep in mind: not everything you find on the Internet is correct and trustworthy. Better solutions for password hashing are known, and have been used and deployed for more than a decade now. See this answer for details and pointers.

    Using MD5 by itself for hashing passwords is not a good idea, because it requires users to chose very strong passwords in order to be secure. However a standard construction for computing a salted password hash using MD5 does exist, and to the best of my knowledge, that is not broken yet.

    Your correct statement about MD5 being too fast and unsalted aside (because that also goes for the SHA family) I would _still_ stay away from MD5 for a non-technical reason: Public Relations. It's a drag to have to convince your boss or client of what you explain. And tons of technical guys (whose opinions are valued by the same people you are trying to convince) are also deluded. After all, there is plenty of 'proof' on the internet that support their conviction that MD5 should not be used _because_ it was broken in 2004.

    @e-sushi Well, that's what I meant by "weakened in a theoretical way".

    @ThomasPornin In that case, simply ignore my comment and think of it as a confirming addition to underline your statements. ;)

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM