-2

Getting into an argument on IRC in 2013.

[05:54] <Minus> i use md5* 2
[05:55] <notCIA> you mean you put it back into the md5?
[05:55] <Minus> then sha1 it
[05:55] <notCIA> like md5(md5($pw))?
[05:55] <Minus> yep
[05:55] <notCIA> youre feeding 32 bytes into an output of 32 bytes
[05:55] <notCIA> you have only made it less secure
[05:55] <Minus> md5 is nots weak

I know I'm right, that this is completely insecure, but I can't properly put into words and speak at length on the subject and am curious to learn more thanks.

y2k
  • 65,388
  • 27
  • 61
  • 86
  • 1
    It should be obvious that just feeding the output of a hash back into the hash does nothing except increase the chance of collisions. If you want to learn more for yourself then, uh, google or visit security.se. Arguing with someone that believes md5 is not weak is pointless. – Jon Jun 22 '13 at 14:05
  • "youre feeding 32 bytes into an output of 32 bytes" <- MD5 outputs 16 bytes, not 32. – CodesInChaos Jun 22 '13 at 17:03
  • @Jon The increase in collisions is irrelevant. It doesn't really matter if you have 2^128 or only ~2^127 reachable outputs. That's still enough. The collision attacks against MD5 don't apply either, so MD5 is only a little bit worse than SHA2 in this context. – CodesInChaos Jun 22 '13 at 17:06
  • @CodesInChaos: I did not pass a verdict on the impact of increased collisions because in general it depends on the number of iterations. In any case the result can only be worse when iterating like that, and that's the point I wanted to make. – Jon Jun 22 '13 at 17:11
  • 1
    @Jon The increased cost of iterating the hash more than offsets any loss of entropy. MD5(MD5(pw)) is about twice as strong as MD5(pw), but that's still pretty weak. MD5(pw+salt) iterated a million times is a decent password hash. I wouldn't recommend it since there are standard constructions, but it's not a bad algorithm. – CodesInChaos Jun 22 '13 at 17:17
  • @CodesInChaos: Those conclusions depend on the attack vector though. If we are talking about brute-forcing a stolen hash list then sure. – Jon Jun 22 '13 at 17:20
  • If you believe repeatedly hashing a string reduces security, you may want to speak to the authors of PBKDF2, SCrypt and BCrypt. That, or show us a fixed point or cycle in a secure hash function. – Nick Johnson Jun 28 '13 at 13:20

1 Answers1

3

Short answer is that MD5(MD5(pw)) as password hash sucks because:

  1. You're not using a salt
  2. It's fast

If you'd iterate MD5 not twice but a million times and you'd include a salt, it'd be a decent password hash.

What matters very little are MD5's cryptographic weaknesses, since those don't apply to password hashing. In particular collision attacks don't matter here, an attacker needs to be able to pull off a first pre-image attack. Simply swapping MD5 for SHA-2 won't get you much either since it's still fast and unsalted.

The right answer is to use a standard password hashing construction such as PBKDF2, bcrypt or scrypt.

A few related questions:

Hashing twice does fix one thing: It prevents length-extension attacks which work against all Merkle–Damgård hashes. That's why some people advocate SHA256(SHA256(m)). But typically HMAC is a better choice on those situations, and this does not apply to password hashing.

Community
  • 1
  • 1
CodesInChaos
  • 106,488
  • 23
  • 218
  • 262