Some stuff at work today reminded me that I needed to write a post on hashes - and Md5 in particular. Apologies in advance for the shortness of this - I'm feeling a little under weather.
A lot of people have been going on about Md5 hashes and how they can be cracked very easily. The truth is somewhat less black and white than that. Collisions make cracking MD5 easier - this is because (in it's simplest form) more than one input can create the same hash. With clever manipulation you can use these clashes to find an input that will work (say as a password).
Statistically it is possible to crack and MD5 hash in a couple of hours using some clever maths; figured out by researchers in 1997. That said, actually performing the attack is complex and time consuming to set up; Cain and Able (the commonest cracking tool about) does not implement the method. I have to admit I am not sure why - having not looked into it in too much depth - but there must be a reason.
Besides, ultimately MD5's can be as crackable as any hash: if you have a dictionary word hashed up to MD5 I can crack it in under 2 minutes. A miss-spelt word? Probably 10 minutes. The same applies for appended numbers (that's a common trick), reversed words, 2 words together etc. (most crackers will leave brute force attacks as a last resort).
The reason is because actually a dictionary is a small number of words to check out (there are more 4 character alphanumeric combinations than there are words in the english language). An intelligent attack can crack most passwords within a surprisingly short amount of time.
A new form of attack, based on collisions, is rainbow tables. These compile chains of hashes (I'll make another post about them don't worry) which allow you to later compare a hash to the end of the chain and work back to a collisions word. These cut down cracking times A LOT. The trade off is they take a long long time to create the tables - as yet there are no tables I know of for passwords over 9 characters.
As you can see, MD5 IS less secure than other hashes - but the major part of that security is in the user and the developer. Here are a few tips to get you by!
Tips for Devs
- Use SHA - it can be attacked in the same way but with less success - ALWAYS use a salt. A salt makes rainbow tables and dictioary attacks fairly useless - Guard your salt with your life! If it gets out then cracking becomes easy again - Always encourage your users to enter passwords with a symbol in (or mixture of cases, numbers etc.). This makes it more complex to attack - Append and prepend you salt to make sure the password goes over 10 characters (which makes brute force attacks much harder and negates rainbow table attacks entirely.. for the moment)
- Never use just a word, or just numbers - Use 2 words separated by a number or symbol - and replace letters with symbold (like a=>@) - That said I have written a program to do intelligent replacement like that - so replace other letters. - User a random combination if you can remember it - A sentence is good: but be careful. I have a program that checks commons sayings, poems, songes, books etc. - Make sure it goes at least over 8 characters if not more
Enjoy!