You're not using MD5 anymore, are you?

Where we keep all the boring tidbits about the PHPDN site, the news, and what not.

Moderator: General Moderators

User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

You're not using MD5 anymore, are you?

Post by patrikG »

"But, but, but...MD5 is an encryption, right?" Nope, it's not. It's a hashed string. And it can easily brute-forced, now even more easily than ever
slashdot wrote: "Sporting over 12 million entries, project GDataOnline is one of the largest non-RainbowTable based MD5 crackers on the internet. The database spans over 7 languages, 35 topics, and contains common mutations to words that include numbers and capitalization. Average crack time for 5 hashes: .04 seconds. No more waiting weeks for your results!"
Source: http://it.slashdot.org/article.pl?sid=05/08/21/1946254

If you still rely on MD5 for any kind of security: don't. SHA1 has been cracked as well, so your best bet is using PHP's crypt() function (and not use it's MD5 hashing).
User avatar
anjanesh
DevNet Resident
Posts: 1679
Joined: Sat Dec 06, 2003 9:52 pm
Location: Mumbai, India

Post by anjanesh »

I thought for hashed strings, theres no key - so how can it be reversed ?
User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

Post by patrikG »

They can be brute forced which renders the whole process of MD5'ing utterly pointless. Example: go to http://gdataonline.com/seekhash.php and enter "46ebfdc1519946f436cd1081b525d98f" into the input field.
User avatar
anjanesh
DevNet Resident
Posts: 1679
Joined: Sat Dec 06, 2003 9:52 pm
Location: Mumbai, India

Post by anjanesh »

Yours is giving iceberg. 0cc175b9c0f1b6a831c399e269772661 is giving a
But all others I've entered are returning ????.
Is it that theres a code running constantly thats cracking one by one and storing in the database ?
User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

Post by patrikG »

anjanesh wrote:Yours is giving iceberg. 0cc175b9c0f1b6a831c399e269772661 is giving a
But all others I've entered are returning ????.
Is it that theres a code running constantly thats cracking one by one and storing in the database ?
Yup. See my original post above.
tores
Forum Contributor
Posts: 120
Joined: Fri Jun 18, 2004 3:04 am

Post by tores »

If you choose a random password it takes a lot longer than .04 seconds to break it.
To be able to break every hash computed by md5 such a database must have 2^128 entries... And that numbers dwarves the 12 million in the GDataOnline database.
User avatar
anjanesh
DevNet Resident
Posts: 1679
Joined: Sat Dec 06, 2003 9:52 pm
Location: Mumbai, India

Post by anjanesh »

How is this possible - there are too many combinations of letters. How can they ultimately have the entire combination of words ?
User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

Post by patrikG »

Not they - anyone. That's just an online database containing hashes and the corresponding sequence of characters. See http://en.wikipedia.org/wiki/Dictionary_attack
User avatar
anjanesh
DevNet Resident
Posts: 1679
Joined: Sat Dec 06, 2003 9:52 pm
Location: Mumbai, India

Post by anjanesh »

I saw the link - add words.
So its like they're accepting words to add it to their database with the hasha value.

I thought some code is actually figuring out the word from the hash key.
malcolmboston
DevNet Resident
Posts: 1826
Joined: Tue Nov 18, 2003 1:09 pm
Location: Middlesbrough, UK

Post by malcolmboston »

they still need to get hold of the MD5 string so they can convert.

So once again, build a secure system and you'll be safe, IE dont login as root on database :roll:
User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

Post by patrikG »

malcolmboston wrote:So once again, build a secure system and you'll be safe, IE dont login as root on database :roll:
Not quite sure what you mean.

Regarding MD5: a very common pitfall is that most people use very simple passwords. On a shared server (and database), simply MD5-ing a users password is a security hole. But that's just one of many.
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Re: You're not using MD5 anymore, are you?

Post by Roja »

patrikG wrote:If you still rely on MD5 for any kind of security: don't. SHA1 has been cracked as well, so your best bet is using PHP's crypt() function (and not use it's MD5 hashing).
The phrase "Cracked" is really misleading here.

Lets get specific about what has happened.

In the last two years, a series of papers have found formulas and algorithms that reduce the crypto strength of both MD5 and SHA1. What does that mean, for a programmer?

When you choose a hash function, you want two things: One to many representation of data, and minimal collision likelihood. Collisions are a precise way of saying "two inputs have the same output".

Few collisions are what make hashes great for file verification (like CDROM iso images), because it allows you to make an MD5sum of the contents of the CD, and verify that nothing has changed.

What the papers have shown is that there is a higher likelihood of collisions than previously expected.

The understanding up until two years ago was that md5 had a collision likelihood of roughly 2^128. With the recent findings (see http://cryptography.hyperlink.cz/md5/MD5_collisions.pdf ), the likelihood has dropped to roughly 2^43, thousands of times faster. That likelihood does require that the plaintext input is known.

So what it means to a programmer is that there is more of a chance that ISO1 == ISO2, even though they may be different.

Thats only a serious issue in a few situations. Obviously, in ISO verification, its a serious problem - an attacker can now generate an ISO that has trojans on it, but ensure that its md5sum matches the one posted on a website. (Thats how you usually verify an ISO, for example, most Linux distributions).

However - it doesn't mean that md5 is useless, worthless, or insecure. It means that it is *less* secure.

For password hashing, md5 still has some value. While 2^43 is considerably less than 2^128, its still far better than plaintext. Its quick, it can replace cleartext storage and transmission, and is still verifiable (although collisions may be possible).

The website PatrikG posted stores lists of known input->output pairs, to allow bruteforcing to be far faster. That means that password hashing (on md5) using common passwords can even less secure, because now it just requires a lookup.

That can be done on *any* hashing function - md5, sha, des, etc.

So what can you do to be secure? PatrikG recommends crypt, which I disagree with. Crypt gives you 4 choices: DES with 2 character salt, DES with 9 character salt, MD5, and Blowfish. Both DES options have less cryptographic strength than md5 - even at the lower collision count reported in the latest papers. We've already discussed why md5 is less than ideal, which leaves blowfish.

Blowfish isn't terrible, and there haven't been substantial new attacks found against it. But its considerably less secure than (for example) SHA-256, which has more combinations possible.

While the SHA family has had some recent findings, none of them substantially reduces the overall complexity below MD5, DES, or Blowfish. SHA-256 is still considerably stronger than all of them.

Since Feyd posted a fantastic SHA256 implementation in php here on the forums, and there are existing SHA256 implementations in Javascript, its honestly the best option for secure hashing today.

Using MD5 to hash a users password is not a security hole. Using SHA to hash it isn't either. Neither has been cracked. All of the papers and websites simply show that they are not as secure as we once thought, which is a long way from saying they are useless.

I hope that clears up some of the confusion.
User avatar
AnarKy
Forum Contributor
Posts: 119
Joined: Tue Nov 02, 2004 1:49 am
Location: South Africa

Post by AnarKy »

patrikG wrote: Regarding MD5: a very common pitfall is that most people use very simple passwords. On a shared server (and database), simply MD5-ing a users password is a security hole. But that's just one of many.
It is nice to have rules / policies governing password creation.
i.e. Must have:
  • numbers
    letters
    lowercase
    uppercase
    symbols
    non dictionary words
    not be derrived from the username
    etc.
User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

Post by patrikG »

Roja wrote:PatrikG recommends crypt, which I disagree with. Crypt gives you 4 choices: DES with 2 character salt, DES with 9 character salt, MD5, and Blowfish. Both DES options have less cryptographic strength than md5 - even at the lower collision count reported in the latest papers. We've already discussed why md5 is less than ideal, which leaves blowfish.
I should have been more specific. Thanks for clarifying and elabourating on this.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Arg I never let users choose their password.. I usually generate a 6-8 char string alphanumerically and case sensitive.
Post Reply