MD5 Passwords: Are They Safe?

TL;DR

No, using MD5-encrypted passwords is not a good practice anymore. It’s very old and easily cracked. You should use stronger hashing algorithms like bcrypt or Argon2.

Why MD5 Isn’t Good Enough

MD5 was once common for storing passwords, but it has significant weaknesses that make it vulnerable to attacks. Here’s why:

• Collisions: It’s relatively easy to find two different passwords that produce the same MD5 hash. This means an attacker can create fake accounts with passwords they control and have them share the same hash as legitimate users.
• Rainbow Tables & Pre-computed Hashes: Attackers have created massive databases (rainbow tables) of pre-calculated MD5 hashes for common passwords. They can quickly look up your password if it’s in these tables.
• Speed of Cracking: Modern computing power allows attackers to crack MD5 hashes very quickly, even without rainbow tables.

What Should You Use Instead?

Here are much better options for password storage:

1. bcrypt

bcrypt is a widely-used and strong hashing algorithm specifically designed for passwords. It includes a ‘work factor’ which makes it slower to crack, even with powerful hardware.

• How it works: bcrypt adds salt (random data) to each password before hashing, making rainbow table attacks much harder.
• Example (Python):import bcrypt
password = b"mysecretpassword"
salt = bcrypt.gensalt()
hashed_password = bcrypt.hashpw(password, salt)
print(hashed_password)


2. Argon2

Argon2 is a newer hashing algorithm that’s considered even more secure than bcrypt. It’s resistant to GPU and ASIC attacks.

• Key Features: Argon2 offers different variants (Argon2d, Argon2i, Argon2id) optimised for various attack scenarios.
• Example (Python – requires the ‘argon2-cffi’ library):from argon2 import PasswordHasher
ph = PasswordHasher()
hash = ph.hash("mysecretpassword")
print(hash)


3. scrypt

scrypt is another strong password hashing algorithm, though less commonly used than bcrypt and Argon2.

What if a Website Still Uses MD5?

1. Change your password immediately: If possible, choose a long, complex password.
2. Use a different website/service: If the site won’t update its security practices, consider finding an alternative that uses modern hashing algorithms.
3. Password Manager: Use a reputable password manager to generate and store strong, unique passwords for each site.

Checking if a Password is Stored as MD5 (Example)

You can sometimes identify if a website uses MD5 by testing a known password against its hash. Warning: Do not use this on live websites without permission! This is for educational purposes only.

# Example using John the Ripper (Linux)
echo "password" | md5sum
# Compare the output to the stored MD5 hash.

If you see a typical 32-character hexadecimal string, it’s likely an MD5 hash.

In Summary

MD5 is outdated and insecure. Prioritise websites that use bcrypt or Argon2 for password storage. Protect yourself by using strong, unique passwords and considering a password manager.