Here is a common misconception when it comes to password security:

“It’s unsafe store user passwords as plain text in the database, so I’ll MD5 the passwords. MD5 is safe because it is one-way encryption, and takes too long to brute force.”

WRONG!

An unsalted MD5 hash can be cracked in less than a second, because it is vulnerable to a precomputation attack. Don’t believe me? Try it for yourself. There are dozens of websites that will take a hash, and return the original password almost instantly. This is true of all hashing algorithms, not just MD5.

How do you defend against a precomputation attack? You use a salt when computing the hash. Using a large salt makes it infeasible to precompute. Also, it helps if you have a strong password that contains numbers, uppercase letters, lowercase letters, and especially symbols. You get bonus points if your password contains strange characters (unicode characters, ascii characters above 128, etc) because nobody can be bothered precomputing rainbow tables for those.

  • Pingback: MD5 Hashes in Cocoa « Tom Dalling

  • Adiga Hacker

    Not cracked in less than a second precomputed passwords are actully a password and its md5 hash stored in a database then a matching will be checked for the hash you entered.nnthis could prove helpful if the password you choose is 7 chars or less in length, but to generate a database with 8 chars or more with alpha(small and capital)+numbers+special chars will take huge amount of space and also long generating time …nnfor an 8 chars pass of alpha either small or capital with numbers and up to 10 allowable special chars, the pass space is 72^8+72^7+72^6 …. + 72^1 … assuming a minimal size of 40 bytes as space for the pass + the hash … my computer wont give an answer for that … but it will take multi TBs with weeks if not months of generating ….nnwither your pass is salted or not … choose it to be 9 chars or more, with at least 1 number, 1 special char, 1 alpha capital and the rest as alpha small and your safe from getting your pass cracked as the chances of you being tricked into a false login or having your session stolen will be 1000s of time greater of your pass being cracked ….

  • Defense

    pass space is only 72^8