Author pronounces MD5 crypt dead

Powered by SC Magazine

Big sites should design their own algorithms.

A more resilient spin off of the MD5 algorithm has been deemed unsafe by its developer.

Poul-Henning Kamp designed the then resource-intensive MD5 crypt algorithm which would provide better cryptographic protection than MD5 and slow down dictionary attacks.

The scheme would produce a password hash by mixing together the user’s passphrase and salt to produce an MD5 digest. The three were melded together to produce a second digest which was after a (fixed) thousand function iterations rehashed with the passphrase and salt in a highly variable manner.

The MD5 algorithm was developed three years earlier in 1992 by cryptographer Ronald Rivest – and declared dead by some commentators from around 2005.

“The MD5 crypt password scrambler was … back then a sufficiently strong protection for passwords,” Kamp said.

“New research has shown that it can be run at a rate close to a million checks per second on [consumer] hardware which means that it is as prone to brute-force attacks as the DES based UNIX crypt was back in 1995.

“As the author of MD5 crypt, I implore everybody to migrate to a stronger password scrambler without undue delay.”

Kamp said he would not design a new password scrambler but offered some technical advise to those who would attempt it.

He lashed out at LinkedIn for using poorly-implemented cryptography, a fact that was this week laid bare when millions of passwords were exposed online.

Kamp quizzed Twitter followers asking “LinkedIn used unsalted passwords? Really? Do they also use punch cards?” 

The social networking site was thought to have used SHA-1 encryption.

Kamp said that “all major internet sites with more than 50.000 passwords should design or configure a unique algorithm (consisting of standard one-way hash functions like SHA-2) in order to make development of highly optimised password brute-force technologies a ‘per-site’ exercise for attackers.”

Copyright © SC Magazine, Australia

Author pronounces MD5 crypt dead
Top Stories
Myer CIO named retailer's new chief executive
Richard Umbers to lead data-driven retail strategy.
Empty terminals and mountains of data
Qantas CIO Luc Hennekens says no-one is safe from digital disruption.
BoQ takes $10m hit on Salesforce CRM
Regulatory hurdles end cloud pilot.
Sign up to receive iTnews email bulletins
Latest Comments
Who do you trust most to protect your private data?

   |   View results
Your bank
Your insurance company
A technology company (Google, Facebook et al)
Your telco, ISP or utility
A retailer (Coles, Woolworths et al)
A Federal Government agency (ATO, Centrelink etc)
An Australian law enforcement agency (AFP, ASIO et al)
A State Government agency (Health dept, etc)

Do you support the abolition of the Office of the Information Commissioner?

   |   View results
I support shutting down the OAIC.
I DON'T support shutting the OAIC.