Page 1 of 1

MD5 creator: "[MD5] no longer considered safe”

Posted: Thu Jun 07, 2012 11:31 am
by twinedev
While is has been preached here for a while that MD5 is not a good choice to use for password hashing, it was definitely confirmed:

http://phk.freebsd.dk/sagas/md5crypt_eol.html
As the author of md5crypt, I implore everybody to migrate to a stronger password scrambler without undue delay.
More info: http://www.zdnet.com/blog/security/md5- ... safe/12317 including:
The primary cause [of the decrypting of some of the 6.4 million passwords leaked] is LinkedIn’s failure to properly ’salt’ the hashed passwords using SHA-1 algorithm.
Saw an article this morning that eharmony was also compromised, however didn't catch if they are also being easily decrypted.

-Greg

Re: MD5 creator: "[MD5] no longer considered safe”

Posted: Thu Jun 07, 2012 11:45 am
by Celauran
This simply cannot be mentioned often enough. Thanks for posting this.

Re: MD5 creator: "[MD5] no longer considered safe”

Posted: Thu Jun 07, 2012 2:49 pm
by twinedev
Add another one to the list.... last.fm
http://www.theverge.com/2012/6/7/307063 ... sword-leak

Re: MD5 creator: "[MD5] no longer considered safe”

Posted: Thu Jun 07, 2012 2:52 pm
by twinedev
I declare it "(Inter)National Change Your Password Day" LOL

Re: MD5 creator: "[MD5] no longer considered safe”

Posted: Thu Jun 07, 2012 9:05 pm
by requinix
As others have mentioned elsewhere, the whole "scrambler" thing bothers me.

Meanwhile SHA-1 is getting towards the end of its lifetime too. Current recommendations are at least SHA-256.

Re: MD5 creator: "[MD5] no longer considered safe”

Posted: Thu Jun 14, 2012 9:30 am
by greyhoundcode
requinix wrote:Current recommendations are at least SHA-256.
Or indeed to move away from such rapidly executing hash functions altogether.

Re: MD5 creator: "[MD5] no longer considered safe”

Posted: Sat Jun 16, 2012 7:10 am
by twinedev
greyhoundcode wrote:Or indeed to move away from such rapidly executing hash functions altogether.
So then what do you suggest?

Re: MD5 creator: "[MD5] no longer considered safe”

Posted: Sat Jun 16, 2012 10:36 am
by Celauran
bcrypt with a high work factor.

Re: MD5 creator: "[MD5] no longer considered safe”

Posted: Sat Jun 16, 2012 1:35 pm
by Live24x7
Time to get back and closely read:

LOGIN & REGISTRATION Script Tutorial at viewtopic.php?f=28&t=135287

Re: MD5 creator: "[MD5] no longer considered safe”

Posted: Fri Jul 13, 2012 12:40 am
by requinix
carrington01 wrote:I thought MD5 secured and safe. Is it true that it is considered no longer safe??
Yes. And stop spamming.