Why an unsalted MD5 hash is bad practice

[0..9, "a".."f"]
[216, 216, 166, 210, 233, 225, 251, 153, 48, 43, 71, 154, 143, 229, 64, 212]
echo d8d8a6d2e9e1fb99302b479a8fe540d4> hash.file
hashcat-cli64 -m 0 -a 0 -r rules/best64.rule hash.file rockyou.txt
  1. While MD5 is a generally a good checksum, it is insecure as a password hashing algorithm because it is simply too fast. You will want to slow your attacker down. Use bcrypt or PBKDF2 with at least 100K iterations. Depending on what hardware your attacker has at his disposal, his brute force attack on your data suddenly takes hundreds of years, if not longer.
  2. Always salt your passwords. Generate a unique, cryptographically secure random value for each password (so that two identical passwords, when hashed, will not hash to the same value). You will then stop rainbow table attacks on your data.
  3. Do not use sha256 as a password, stupid. Use a password manager, and generate yourself long and strong passwords. I highly recommend 1Password. If you think you’re safe without a password manager (you’re not), then at least be smart about 2FA and turn that on wherever possible.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Delphi/Rust/Go developer. Ethereum consultant. Embarcadero MVP. Ex-Adobe, Macromedia. Helped build 1Password.