One of the more interesting things revealed to the public during the LinkedIn password leak debacle is the fact that entire forums exist where black-hat hackers work together to crack hashes. The speed with which LinkedIn and eHarmony’s passwords were obtained from the leaked hash is also disconcerting, considering that these companies are both large and reputable. The fact is, a company can do everything right when it comes to password security and still have something like what happened this week occur.
Poul-Henning Kamp, the creator of the Md5crypt password scrambler said as much today in a post on his personal blog. Kamp declared that the software he created back in 1995, and by extension other standard hashing techniques, are no longer by themselves viable as decent password protection. From the blog post:
The MD5crypt password scrambler was created in 1995 by yours truly and was, back then, a sufficiently strong protection for passwords.
New research has shown that it can be run at a rate close to 1 million checks per second on COTS GPU hardware, which means that it is as prone to brute-force attacks as the DES based UNIX crypt was back in 1995: Any 8 character password can be found in a couple of days.
As the author of md5crypt, I implore everybody to migrate to a stronger password scrambler without undue delay.
What this means is that as computing power and speed has rapidly risen, MD5 and similar hash functions have become vulnerable to “brute-force” attacks in which computers simply guess a hash at a rapid speed. Kamp suggests that any new standard algorithm take at least 0.1 seconds to run on a high-powered computer, making such attacks take far longer than they currently do.
Of course, this declaration is a reaction to LinkedIn’s hashing methods being publicized. It has been known in the security community for around 8 years that MD5 is vulnerable. LinkedIn was not using Md5 to hash their passwords, but a different, similar function called SHA-1. Kamp suggests that any website storing more than 50,000 passwords design their own algorithm, making it more time consuming for hackers to crack their passwords.