Why not use MD5 for password hashing?

by

The collision resistance property of MD5 has been broken for a long time. Note that that preimage resistance and second preimage resistance have not yet been cracked, however as there are better algorithms out there (SHA-2) it would be wise to move to these rather than relying on a cryptographic hash that has already begun to lose its cryptographic properties. Note: The collision resistance property does not matter when storing hashed passwords – what you need to make sure of is that the preimage resistance property is sound – that it is computationally infeasible to find the original password given a certain hash value (and salt). As I mentioned, since one of the cryptographic properties is already broken I would be concerned that the others will follow soon.

When you store a password hash, you should build in some protection that the original password cannot be retrieved in case an attacker manages to extract these hashes. This is important because if an attacker manages to retrieve the password table only they can then use the data to either log into your system directly, or to log into other systems where the user has reused the same password.

When storing passwords, it is important to use a slow algorithm, such as bcrypt, scrypt or pbkdf2. A legitimate user should only have to experience the delay once, upon first login. An attacker will have to experience the delay for every password that they guess – remember rainbow tables will not be being used here because the passwords are salted. The attacker will be hashing each password guess in line with your chosen algorithm and iteration count.

It is important to tune the number of iterations for your system just so the right “strength” is used not to cause legitimate users any real annoyance when logging into your system. This is known as number of “rounds” or the “iteration count”. For example, iterating for about one second should be sufficient. It may be safe to assume that an attacker can run through hashes at ten times the speed of your system’s hardware. Therefore this limits the attacker to 10 guesses per second, rather than two billion with MD5.

Regarding DoS attacks

Yes, the extra processing your application performs upto login could be a target for an attacker to submit either really long passwords to your application, or to repeatedly hit it with login requests in order to consume CPU and memory resources on your server. You are right to be concerned.

These type of attacks can be mitigated in the following ways:

  • Log the username and IP address of each login attempt. After say 6 failed attempts, introduce a delay in response from your application if that username or IP is repeated again. This will also help mitigate password guessing attacks in general.
    • For example you could artificially delay by 1 second, then 2 seconds then 4 and up to a reasonable value (e.g. 16 seconds).
    • This has the advantage that an attacker can’t lock out another account on purpose as the legitimate user only has to wait 16 seconds.
    • An attacker could use a botnet and random usernames to bypass these checks, however they would need a huge number of IP addresses than they would without this control, and a more casual attacker would also not be aware that the delay in response was artificial.
  • Monitor the number of login attempts on your system. Once this is above a set threshold rate (e.g. 10 per second), introduce a CAPTCHA to solve to continue the login process. The threshold rate you choose very much depends on the user base and capacity of your system.
  • Implement two factor authentication. Only proceed to validate password by hashing once the One Time Password has been validated.

More Related Contents:

  1. Difference between Hashing a Password and Encrypting it
  2. Is “double hashing” a password less secure than just hashing it once?
  3. SHA512 vs. Blowfish and Bcrypt [closed]
  4. encrypt and decrypt md5
  5. What algorithm should I use to hash passwords into my database? [duplicate]
  6. Best Practices: Salting & peppering passwords?
  7. md5 decoding. How they do it?
  8. What is the clash rate for md5? [closed]
  9. Do I need a “random salt” once per password or only once per database?
  10. Secure hash and salt for PHP passwords
  11. Fundamental difference between Hashing and Encryption algorithms
  12. How to hash a password
  13. How should I ethically approach user password storage for later plaintext retrieval?
  14. How can bcrypt have built-in salts?
  15. Non-random salt for password hashes
  16. Encrypting/Hashing plain text passwords in database [closed]
  17. The necessity of hiding the salt for a hash
  18. Where do you store your salt strings?
  19. Password hashing, salt and storage of hashed values
  20. How to create a laravel hashed password
  21. MD5 hash with salt for keeping password in DB in C#
  22. Moving old passwords to new hashing algorithm?
  23. Best way for a ‘forgot password’ implementation? [closed]
  24. Why do salts make dictionary attacks ‘impossible’?
  25. Secure Password Hashing [closed]
  26. Should I impose a maximum length on passwords?
  27. MD5 security is fine? [closed]
  28. How can I hash passwords in postgresql?
  29. How to send password securely via HTTP using Javascript in absence of HTTPS?
  30. How to hash a password with SHA-512 in Java?

Leave a Comment