Author pronounces MD5 crypt dead

Powered by SC Magazine

Big sites should design their own algorithms.

A more resilient spin off of the MD5 algorithm has been deemed unsafe by its developer.

Poul-Henning Kamp designed the then resource-intensive MD5 crypt algorithm which would provide better cryptographic protection than MD5 and slow down dictionary attacks.

The scheme would produce a password hash by mixing together the user’s passphrase and salt to produce an MD5 digest. The three were melded together to produce a second digest which was after a (fixed) thousand function iterations rehashed with the passphrase and salt in a highly variable manner.

The MD5 algorithm was developed three years earlier in 1992 by cryptographer Ronald Rivest – and declared dead by some commentators from around 2005.

“The MD5 crypt password scrambler was … back then a sufficiently strong protection for passwords,” Kamp said.

“New research has shown that it can be run at a rate close to a million checks per second on [consumer] hardware which means that it is as prone to brute-force attacks as the DES based UNIX crypt was back in 1995.

“As the author of MD5 crypt, I implore everybody to migrate to a stronger password scrambler without undue delay.”

Kamp said he would not design a new password scrambler but offered some technical advise to those who would attempt it.

He lashed out at LinkedIn for using poorly-implemented cryptography, a fact that was this week laid bare when millions of passwords were exposed online.

Kamp quizzed Twitter followers asking “LinkedIn used unsalted passwords? Really? Do they also use punch cards?” 

The social networking site was thought to have used SHA-1 encryption.

Kamp said that “all major internet sites with more than 50.000 passwords should design or configure a unique algorithm (consisting of standard one-way hash functions like SHA-2) in order to make development of highly optimised password brute-force technologies a ‘per-site’ exercise for attackers.”

Copyright © SC Magazine, Australia

Author pronounces MD5 crypt dead
Top Stories
Australia passes data retention into law
Mammoth last-ditch effort by Greens, indies knocked back.
ATO to kill off e-Tax
Veteran software to be replaced by more modern myTax.
CSC embroiled in CBA IT bribery scandal
ServiceMesh named in alleged dodgy dealing.
Sign up to receive iTnews email bulletins
Latest Comments
Do you support the Government's data retention scheme?

   |   View results