Why an unsalted MD5 hash is bad practice

[0..9, "a".."f"]
[216, 216, 166, 210, 233, 225, 251, 153, 48, 43, 71, 154, 143, 229, 64, 212]
echo d8d8a6d2e9e1fb99302b479a8fe540d4> hash.file
hashcat-cli64 -m 0 -a 0 -r rules/best64.rule hash.file rockyou.txt
  1. While MD5 is a generally a good checksum, it is insecure as a password hashing algorithm because it is simply too fast. You will want to slow your attacker down. Use bcrypt or PBKDF2 with at least 100K iterations. Depending on what hardware your attacker has at his disposal, his brute force attack on your data suddenly takes hundreds of years, if not longer.
  2. Always salt your passwords. Generate a unique, cryptographically secure random value for each password (so that two identical passwords, when hashed, will not hash to the same value). You will then stop rainbow table attacks on your data.
  3. Do not use sha256 as a password, stupid. Use a password manager, and generate yourself long and strong passwords. I highly recommend 1Password. If you think you’re safe without a password manager (you’re not), then at least be smart about 2FA and turn that on wherever possible.

--

--

--

Delphi/Rust/Go developer. Ethereum consultant. Embarcadero MVP. Ex-Adobe, Macromedia. Helped build 1Password.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} Hero Generations Hack Free Resources Generator

We need to contain this now!

{UPDATE} Tic-Tac-Toe Hack Free Resources Generator

{UPDATE} Crazy Bicycle Uphill Hack Free Resources Generator

Announcement:

WARNING – Metamask Phishing Scam – Don’t Fall For It

Spring Boot + Spring Security with SAML 2.0

How to Buy SkyRocket ($SKRT) Token?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Stefan

Stefan

Delphi/Rust/Go developer. Ethereum consultant. Embarcadero MVP. Ex-Adobe, Macromedia. Helped build 1Password.

More from Medium

Assymetric Cryptography

Active Directory — Pass The Hash Attack

Root-me Challenges(Networks)

Zero Logon — CyberDefense Walkthrough