MD5 Password Encryption Algorithm Is No Longer Safe, Says Its Author

Forum Moderators: phranque

Message Too Old, No Replies

MD5 Password Encryption Algorithm Is No Longer Safe, Says Its Author

engine

1:29 pm on Jun 7, 2012 (gmt 0)

MD5 Password Encryption Algorithm Is No Longer Safe, Says Its Author [zdnet.com]

The original author of the MD5 password hash algorithm has publicly declared his software end-of-life and is “no longer considered safe” to use on commercial websites.

Danish developer Poul-Henning Kamp, who developed the widely used MD5 password hash algorithm, said that limitations to his software and a corresponding increase in computing power since its initial release has rendered algorithm obsolete.

“I implore everybody to migrate to a stronger password scrambler without undue delay,”

Andy Langton

1:42 pm on Jun 7, 2012 (gmt 0)

Great quote from the author there, too:

All major internet sites, anybody with more than 50.000 passwords, should design or configure a unique algorithm (consisting of course of standard one-way hash functions like SHA2 etc) for their site, in order to make development of highly optimized password brute-force technologies a “per-site” exercise for attackers.

I'd say he's right on the money, although this would put some burden back on those sites, of course.

henry0

4:25 pm on Jun 7, 2012 (gmt 0)

Check PHP man and scroll down to review a few interesting suggestion on using sha 256.

I am thinking to implement something like that in a few new scripts instead of the usual md5()

[php.net ]

httpwebwitch

4:50 pm on Jun 7, 2012 (gmt 0)

Goodbye MD5. You've been a good friend. Thanks for watching my back.

RIP MD5

:(

henry0

5:06 pm on Jun 7, 2012 (gmt 0)

Once upon a time... when CAPTCHA was said to be the universal panacea!

incrediBILL

6:53 pm on Jun 7, 2012 (gmt 0)

What you really need are secure servers because if the server wasn't being hacked the password could be plain text and it would be just fine as long as it's being transmitted via SSL.

People shouldn't even be in control of creating and managing their own passwords anyway because the majority of people are using medium strength passwords at best, if we're lucky.

henry0

8:13 pm on Jun 7, 2012 (gmt 0)

People shouldn't even be in control of creating and managing their own passwords anyway because the majority of people are using medium strength passwords at best, if we're lucky.

With a well defined regex and corresponding "how to enter PW" the new registering user could be somehow "forced" to create a good strong PW.

I am not pro self-generated-PW as the user will not memorize it, thus writing it down! And anyway will, first thing first, change it to "passord101" :)

You are correct people should not be trusted, once I visited a client, go through the accounting dpt, something caught my eyes, it was a sticker on a monitor, I knew what it was, nevertheless asked about it and they candidly said that it was the accounting master PW .....

Leosghost

8:35 pm on Jun 7, 2012 (gmt 0)

Bill ..problem is ..we here are all "people" when we are on someone else's site..:)

incrediBILL

5:35 am on Jun 8, 2012 (gmt 0)

thus writing it down!

Not nearly as bad as letting a hacker get access.

I'm not concerned with anything left on my desk because nobody is allowed in my office, no touching the desk or anything on it, and all trespassers will be violated.

Using my computer is completely forbidden, penalty of beheading, so someone remembering my password if they ever see it isn't much of a problem ;)

Of course my wife is the only exception, all others should stay clear.

Bill ..problem is ..we here are all "people" when we are on someone else's site

That has nothing to do with learning and using basic memorization skills.

They taught us that stuff in school, at least at my school they did...