MD5crypt Password Scrambler Not Safe, Says Creator

Get the WebProNews Newsletter:

MD5crypt Password Scrambler Not Safe, Says Creator
[ Technology]

One of the more interesting things revealed to the public during the LinkedIn password leak debacle is the fact that entire forums exist where black-hat hackers work together to crack hashes. The speed with which LinkedIn and eHarmony’s passwords were obtained from the leaked hash is also disconcerting, considering that these companies are both large and reputable. The fact is, a company can do everything right when it comes to password security and still have something like what happened this week occur.

Poul-Henning Kamp, the creator of the Md5crypt password scrambler said as much today in a post on his personal blog. Kamp declared that the software he created back in 1995, and by extension other standard hashing techniques, are no longer by themselves viable as decent password protection. From the blog post:

The MD5crypt password scrambler was created in 1995 by yours truly and was, back then, a sufficiently strong protection for passwords.

New research has shown that it can be run at a rate close to 1 million checks per second on COTS GPU hardware, which means that it is as prone to brute-force attacks as the DES based UNIX crypt was back in 1995: Any 8 character password can be found in a couple of days.

As the author of md5crypt, I implore everybody to migrate to a stronger password scrambler without undue delay.

What this means is that as computing power and speed has rapidly risen, MD5 and similar hash functions have become vulnerable to “brute-force” attacks in which computers simply guess a hash at a rapid speed. Kamp suggests that any new standard algorithm take at least 0.1 seconds to run on a high-powered computer, making such attacks take far longer than they currently do.

Of course, this declaration is a reaction to LinkedIn’s hashing methods being publicized. It has been known in the security community for around 8 years that MD5 is vulnerable. LinkedIn was not using Md5 to hash their passwords, but a different, similar function called SHA-1. Kamp suggests that any website storing more than 50,000 passwords design their own algorithm, making it more time consuming for hackers to crack their passwords.

(via ZDNet)

MD5crypt Password Scrambler Not Safe, Says Creator
Top Rated White Papers and Resources
  • http://michaelhendrickx.com Michael Hendrickx

    > “Kamp suggests that any website storing more than 50,000 passwords
    > design their own algorithm”

    Really? I seriously think that’s the wrong approach. Password algorithms should be let to the experts. Although a developer could have multiple rotations of an algorithm (creating a md5 hash of the md5 hash of a salt vaue and password), I’d be scared if web applications (even giants such as linked in) create their own hashing algortims.

  • Join for Access to Our Exclusive Web Tools
  • Sidebar Top
  • Sidebar Middle
  • Sign Up For The Free Newsletter
  • Sidebar Bottom