[Link] Why You Don't Use MD5 For Passwords

  • (3 Pages)
  • +
  • 1
  • 2
  • 3

40 Replies - 4665 Views - Last Post: 13 June 2013 - 09:57 AM

#16 jon.kiparsky  Icon User is online

  • Pancakes!
  • member icon


Reputation: 7743
  • View blog
  • Posts: 13,080
  • Joined: 19-March 11

Re: [Link] Why You Don't Use MD5 For Passwords

Posted 29 May 2013 - 10:13 AM

I started typing a reply, and it got long. It's in spoiler tags, read it if you want. Warning: this is just me talking, I'm just a curious person, I don't know that much. Could be wrong.

Short version: quantum computing changes the balance of difficulty between encryption and decryption, but it's likely to swing back. The transition period will be interesting.

Spoiler

Was This Post Helpful? 1
  • +
  • -

#17 AdamSpeight2008  Icon User is offline

  • MrCupOfT
  • member icon


Reputation: 2262
  • View blog
  • Posts: 9,464
  • Joined: 29-May 08

Re: [Link] Why You Don't Use MD5 For Passwords

Posted 29 May 2013 - 01:37 PM

I couple of recent talk on Quantum Computation.

http://research.micr...x?id=192878&l=i

http://research.micr...x?id=191071&l=i
Was This Post Helpful? 1
  • +
  • -

#18 CTphpnwb  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 2984
  • Posts: 10,315
  • Joined: 08-August 08

Re: [Link] Why You Don't Use MD5 For Passwords

Posted 29 May 2013 - 03:27 PM

Yes, hardware is fast these days, but my question is, why does that have to help with a brute force attack? A while ago I posted this, and while it's not complete, it shows how you could have your server keep track of who/where login attempts are coming from so that you can slow down these attacks dramatically. Thinking back on it, I wonder why I didn't track recent user names instead of IP addresses. If you allow one attempt per second for any given user name then it really doesn't matter how fast the hacker's computer is. They're going to max out at sixty attempts per minute per user name, so it could take many years to crack a password.
Was This Post Helpful? 2
  • +
  • -

#19 Skydiver  Icon User is offline

  • Code herder
  • member icon

Reputation: 3572
  • View blog
  • Posts: 11,106
  • Joined: 05-May 12

Re: [Link] Why You Don't Use MD5 For Passwords

Posted 29 May 2013 - 04:52 PM

One implementation of *nix I was on actually had a 1 second delay hard coded into the crypt() function to slow down password cracking attempts.
Was This Post Helpful? 0
  • +
  • -

#20 AdamSpeight2008  Icon User is offline

  • MrCupOfT
  • member icon


Reputation: 2262
  • View blog
  • Posts: 9,464
  • Joined: 29-May 08

Re: [Link] Why You Don't Use MD5 For Passwords

Posted 29 May 2013 - 06:38 PM

CTphpnwb Do you know was you have the hash file, the decoding technique doesn't involve the target in the decoding stage at all.

It dosn't even have to be the correct password only a valid hash clash. Values that hash to same value.

Once you have all the passwords then the target could be involved.

Like a particular user name like Admin

This post has been edited by AdamSpeight2008: 29 May 2013 - 06:40 PM

Was This Post Helpful? 0
  • +
  • -

#21 jon.kiparsky  Icon User is online

  • Pancakes!
  • member icon


Reputation: 7743
  • View blog
  • Posts: 13,080
  • Joined: 19-March 11

Re: [Link] Why You Don't Use MD5 For Passwords

Posted 29 May 2013 - 06:43 PM

View PostAdamSpeight2008, on 29 May 2013 - 08:38 PM, said:

It dosn't even have to be the correct password only a valid hash clash. Values that hash to same value.

If you find a collision in a cryptographic hash function, make absolutely certain you're right and then tell the world about it. There are a lot of people who spend a lot of time making sure those functions are highly collision resistant - by which we mean that, while we know there are collisions, we also know that they're effectively impossible to find*.

If you show that this is not the case, the hash will suddenly become known to be unsafe, and lots of people will thank you for making their websites more secure.


*To quote wikipedia:

Quote

The ideal cryptographic hash function has four main properties:

it is easy to compute the hash value for any given message
it is infeasible to generate a message that has a given hash
it is infeasible to modify a message without changing the hash
it is infeasible to find two different messages with the same hash.

Was This Post Helpful? 1
  • +
  • -

#22 Skydiver  Icon User is offline

  • Code herder
  • member icon

Reputation: 3572
  • View blog
  • Posts: 11,106
  • Joined: 05-May 12

Re: [Link] Why You Don't Use MD5 For Passwords

Posted 29 May 2013 - 07:03 PM

Like this MD5 collision: http://www.mathstat....r/md5collision/
Was This Post Helpful? 0
  • +
  • -

#23 jon.kiparsky  Icon User is online

  • Pancakes!
  • member icon


Reputation: 7743
  • View blog
  • Posts: 13,080
  • Joined: 19-March 11

Re: [Link] Why You Don't Use MD5 For Passwords

Posted 29 May 2013 - 07:04 PM

Yes, exactly... bringing us back around to the original topic. :)
Was This Post Helpful? 0
  • +
  • -

#24 Skydiver  Icon User is offline

  • Code herder
  • member icon

Reputation: 3572
  • View blog
  • Posts: 11,106
  • Joined: 05-May 12

Re: [Link] Why You Don't Use MD5 For Passwords

Posted 29 May 2013 - 07:26 PM

I'm running with short attention span right now, but I never noticed any mention that the passwords being salted or not salted in the original article linked in the OP. My impression from the article was that the passwords were not salted. Isn't it a standard practice that passwords should be salted before the MD5 hash is computed? Or has the practice of salting fallen to the wayside?
Was This Post Helpful? 0
  • +
  • -

#25 Skydiver  Icon User is offline

  • Code herder
  • member icon

Reputation: 3572
  • View blog
  • Posts: 11,106
  • Joined: 05-May 12

Re: [Link] Why You Don't Use MD5 For Passwords

Posted 29 May 2013 - 07:31 PM

When attention spans shorten, Ctrl-F comes to the rescue:

Quote

Of course, none of this applies in this exercise since the leaked MD5 wasn't salted.

from page 2 of the article.
Was This Post Helpful? 0
  • +
  • -

#26 CTphpnwb  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 2984
  • Posts: 10,315
  • Joined: 08-August 08

Re: [Link] Why You Don't Use MD5 For Passwords

Posted 29 May 2013 - 07:40 PM

View PostAdamSpeight2008, on 29 May 2013 - 09:38 PM, said:

CTphpnwb Do you know was you have the hash file, the decoding technique doesn't involve the target in the decoding stage at all.

It dosn't even have to be the correct password only a valid hash clash. Values that hash to same value.

Once you have all the passwords then the target could be involved.

Like a particular user name like Admin

Right, but if your hashes have been leaked you've already been compromised.
Was This Post Helpful? 0
  • +
  • -

#27 jon.kiparsky  Icon User is online

  • Pancakes!
  • member icon


Reputation: 7743
  • View blog
  • Posts: 13,080
  • Joined: 19-March 11

Re: [Link] Why You Don't Use MD5 For Passwords

Posted 29 May 2013 - 08:22 PM

View PostSkydiver, on 29 May 2013 - 09:26 PM, said:

Isn't it a standard practice that passwords should be salted before the MD5 hash is computed? Or has the practice of salting fallen to the wayside?



Salting implies you care about security - in that case, you're not using MD5...
Was This Post Helpful? 2
  • +
  • -

#28 Skydiver  Icon User is offline

  • Code herder
  • member icon

Reputation: 3572
  • View blog
  • Posts: 11,106
  • Joined: 05-May 12

Re: [Link] Why You Don't Use MD5 For Passwords

Posted 29 May 2013 - 08:27 PM

View PostCTphpnwb, on 29 May 2013 - 10:40 PM, said:

View PostAdamSpeight2008, on 29 May 2013 - 09:38 PM, said:

CTphpnwb Do you know was you have the hash file, the decoding technique doesn't involve the target in the decoding stage at all.

It dosn't even have to be the correct password only a valid hash clash. Values that hash to same value.

Once you have all the passwords then the target could be involved.

Like a particular user name like Admin

Right, but if your hashes have been leaked you've already been compromised.

But if your collection of public keys have been leaked, it's a non-issue?
Was This Post Helpful? 0
  • +
  • -

#29 AdamSpeight2008  Icon User is offline

  • MrCupOfT
  • member icon


Reputation: 2262
  • View blog
  • Posts: 9,464
  • Joined: 29-May 08

Re: [Link] Why You Don't Use MD5 For Passwords

Posted 29 May 2013 - 08:51 PM

MD5 isn't a Public Key Encryption algorithm, it's a hash algorithm.

Data -> Hash
It mashes and mangles to the source data(unencrypted) into a specific number of bits.
Generally Hashbits <= DataBits
There is no way(or impractical) to reverse procedure and get the data
Hash -> Data with certainty. If it were so we be using hash representations instead of the data.
Was This Post Helpful? 0
  • +
  • -

#30 jon.kiparsky  Icon User is online

  • Pancakes!
  • member icon


Reputation: 7743
  • View blog
  • Posts: 13,080
  • Joined: 19-March 11

Re: [Link] Why You Don't Use MD5 For Passwords

Posted 29 May 2013 - 09:13 PM

View PostAdamSpeight2008, on 29 May 2013 - 10:51 PM, said:

MD5 isn't a Public Key Encryption algorithm, it's a hash algorithm.



Of course it's not an encryption algorithm. No hash algorithm is in itself an encryption protocol - there isn't really any sense in talking about an encyption "algorithm" at all, since protocols are quite a bit higher-level than the algorithms used to implement them (any protocol consists of multiple steps, usually composed of cryptographically secure primitives such as pseudo-random number generators or hash functions, and there are multiple options to choose from at each stage). And of course it's not public key - as far as I know there aren't any hash functions that operate on a public/private key basis, but I might be forgetting about something there. In any case, MD5 is by no means a public-key anything.

MD5 was written to be a cryptographic primitive, specifically a hash function for which it is not practical to generate a chosen hash by selecting a message/key combination, and for which modifying a message changes the resulting hash in ways which cannot be determined by simple (or deep) inspection, and for which it is effectively impossible to show two messages which hash to the same value. And it fails badly on at least two of these counts (see Skydiver's link above) so as a cryptographic primitive, MD5 is considered completely broken and should not be used in security-sensitive contexts, one of those being storage of passwords.

There are a fair number of good references on cryptography available. I suggest you avail yourself of them if you're going to make use of crypto at all, since you're likely to make all sorts of mistakes if you try to implement even out-of-the-box solutions without understanding the fundamentals, and this will expose things you want to protect. Schneier's work is quite good for the beginner, and the Handbook of Applied Cryptography (Menezes et al) is extremely complete, if you want to know the gory details. Victor Shoup has a good introduction to the math required, which is available as a free download - google for number theory in connection with his name and you'll come up with it.

Dan Boneh's coursera course is also quite good, but you'll probably want to have at least Shoup under your belt to make best use of his course.

EDIT: Cant' resist adding in this link which looks like an excellent opportunity for two-bird-with-one-stone-killing. If you want to get some practice with your German, while learning crypto, give this one a try. :)

This post has been edited by jon.kiparsky: 29 May 2013 - 09:18 PM

Was This Post Helpful? 3
  • +
  • -

  • (3 Pages)
  • +
  • 1
  • 2
  • 3