Author pronounces MD5 crypt dead

Powered by SC Magazine

Big sites should design their own algorithms.

A more resilient spin off of the MD5 algorithm has been deemed unsafe by its developer.

Poul-Henning Kamp designed the then resource-intensive MD5 crypt algorithm which would provide better cryptographic protection than MD5 and slow down dictionary attacks.

The scheme would produce a password hash by mixing together the user’s passphrase and salt to produce an MD5 digest. The three were melded together to produce a second digest which was after a (fixed) thousand function iterations rehashed with the passphrase and salt in a highly variable manner.

The MD5 algorithm was developed three years earlier in 1992 by cryptographer Ronald Rivest – and declared dead by some commentators from around 2005.

“The MD5 crypt password scrambler was … back then a sufficiently strong protection for passwords,” Kamp said.

“New research has shown that it can be run at a rate close to a million checks per second on [consumer] hardware which means that it is as prone to brute-force attacks as the DES based UNIX crypt was back in 1995.

“As the author of MD5 crypt, I implore everybody to migrate to a stronger password scrambler without undue delay.”

Kamp said he would not design a new password scrambler but offered some technical advise to those who would attempt it.

He lashed out at LinkedIn for using poorly-implemented cryptography, a fact that was this week laid bare when millions of passwords were exposed online.

Kamp quizzed Twitter followers asking “LinkedIn used unsalted passwords? Really? Do they also use punch cards?” 

The social networking site was thought to have used SHA-1 encryption.

Kamp said that “all major internet sites with more than 50.000 passwords should design or configure a unique algorithm (consisting of standard one-way hash functions like SHA-2) in order to make development of highly optimised password brute-force technologies a ‘per-site’ exercise for attackers.”

Copyright © SC Magazine, Australia

Author pronounces MD5 crypt dead
Top Stories
Windows 10 lands in Australia
Campaign to get business to upgrade kicks off.
NSW to build its own myGov
Service NSW digital profiles available by September.
Android bug leaves a billion phones open to attack
Hackers only need phone number to target devices.
Sign up to receive iTnews email bulletins
Latest Comments
Should law enforcement be able to buy and use exploits?

   |   View results
Only in special circumstances
Yes, but with more transparency