[lug] MD5 strength?

Peter Hutnick peter-lists at hutnick.com
Sat Aug 31 03:05:09 MDT 2002 

> I am curious, for the MD5 password hash, is this currently considered
> strong, or is it easily broken by normal hardware? I have people telling
> me that password hash is useless and broken quite easily, and if this is
> about old style passwords, I agree...but with MD5, I do not believe that
> any real weakness, other than perhaps theoretical, has been found. If
> someone uses a buffer overflow attack to email the shadow file, and if
> the shadow file is MD5, what kind of difficulty would the attacker have
> at cracking non-common passwords

MD5 is quite strong on its own merits . . . BUT it takes only a moment to
calculate a hash from a password (this is necessary, otherwise logins
would have to be planned days (weeks? months?) in advance) and only an
instant to compare the resulting hash to the hash of the unknown password.
 Therefore the amount of difficulty in "cracking" an MD5 hash is VERY
dependent on the quality of the password.  A password such as "password"
or "dog" or "fluffy" (my dogs name) or "joe73" (a simple combination of
part of my middle name and year of birth) or some part of my phone number,
birth date, SSN, etc. should be "crackable" in a matter of a few minutes
by a competent cracker with contemporary HW and access to your personal
info.  OTOH, a password like "k3(Db7 at eC" is "uncrackable" by any
reasonable standard.

Expiring passwords can act as a hedge against such an attack.

> (passwords not from a common words,
> where it must actually be broken instead of guessed)?

AFAIK there is no known way to "break" (as opposed to guess) an MD5 hash
to obtain the password.  I'm no expert on this, but I think that it is
mathematically impossible to do so (else MD5 would be the best compression
system out there).  Hashes of such strong passwords can still be "cracked"
by using a non-dictionary (i.e. sequential or statical) method of coming
up with the "candidate" passwords to be MD5ed for comparison to the hash
of the unknown password.  IOW there is only one known way to "crack" a
password out of an MD5 hash, and that method is not very useful against
strong, "short" (or "medium") term passwords.

Got all that?

-Peter

More information about the LUG mailing list