I think the specific hash algorithm used doesn’t matter much, except that MD5 is quite fast to calculate. A modern hash algorithm would buy some time by being more expensive computationally, but wouldn’t change much otherwise. From how I understand the article, they effectively did a sophisticated dictionary attack on the passwords in the database, not brute force attacks on individual hashes. Probably starting with all the known common passwords and then continuing with some generator based on common password patterns. Otherwise I couldn’t explain how they cracked 48% of the passwords in under 60 seconds and needed the remainder of an hour for just another 12%.
Regardless, that’s no excuse for still using MD5 hashes today. The problem is that a sizeable chunk of IT professionals have no fucking clue what they’re doing. They might have heard that storing passwords as plain text is a bad idea, so they use the first hash algorithm they come across which happens to be MD5, unsalted of course. Unittests pass, everyone’s happy, software gets shipped, black hats are happy.
The difference in speed between MD5 and something like bcrypt or Argon2 is massive. We’re talking orders of magnitude. That adds a layer of security – if hashing takes e.g. 1000 times longer than with md5, the 20 minutes to crack the least secure passwords suddenly turns into 14 days. Still not astronomical but a lot slower. The more secure algorithms also require more memory to run, leading to less effective parallelization.
Besides, MD5 is prone to collisions, which reduce the number of attacks needed. The attacker doesn’t need the real password, just one that hashes to the correct value.
While they did do a more sophisticated dictionary attack, they also talk about rainbow tables, which only work if the hashes are unsalted. A more modern approach with salted passwords is immune to rainbow table attacks. An actually modern approach with salted and peppered Argon2 hashes makes the kind of offline attack Kaspersky did unfeasible in the first place.
For some reason Kaspersky never bothered to point this out. I’d expect a reputable cybersecurity company like them to at least include one line that urges developers to make use of a modern approach and gives pointers as to what that might be. But I suppose “we recommend passwords to be salted, peppered, and hashed with Argon2i or Argon2id with a sufficiently high work factor” wouldn’t fit their narrative.
(I also just noticed that the advice part of Kaspersky’s article is littered with references to the password manager they sell. Yep, it’s an underhanded ad that just happens to contain some good security advice.)
Eh, sorry, but you cannot crack hashes. At best you can come up with a strong that generates the same hash, but finding the exact original value won’t happen, that’s not how hashes work, that is not how anything works.
Each hash output value in principle can have an infinity of different inouts that lead to that output. Because of that, hashes are a one way street
Having said that, are you telling me that a properly salted hash using a modern algorithm like argon2id, or just even plain sha256, can be “cracked” in 14 days? I’m going to go ahead and say “no”
If you can generate an input which satisfies an md5 comparison which results in being able to authenticate with a system, then I think debating if that is a “crack” or not is purely semantic.
Although you are for sure technically right, I think any actually observed md5 collisions are with very large inputs, many orders of magnitudes longer than a password. The smallest input (first found, almost certainly) is almost certainly what the original password was.
I think the specific hash algorithm used doesn’t matter much, except that MD5 is quite fast to calculate. A modern hash algorithm would buy some time by being more expensive computationally, but wouldn’t change much otherwise. From how I understand the article, they effectively did a sophisticated dictionary attack on the passwords in the database, not brute force attacks on individual hashes. Probably starting with all the known common passwords and then continuing with some generator based on common password patterns. Otherwise I couldn’t explain how they cracked 48% of the passwords in under 60 seconds and needed the remainder of an hour for just another 12%.
Regardless, that’s no excuse for still using MD5 hashes today. The problem is that a sizeable chunk of IT professionals have no fucking clue what they’re doing. They might have heard that storing passwords as plain text is a bad idea, so they use the first hash algorithm they come across which happens to be MD5, unsalted of course. Unittests pass, everyone’s happy, software gets shipped, black hats are happy.
The difference in speed between MD5 and something like bcrypt or Argon2 is massive. We’re talking orders of magnitude. That adds a layer of security – if hashing takes e.g. 1000 times longer than with md5, the 20 minutes to crack the least secure passwords suddenly turns into 14 days. Still not astronomical but a lot slower. The more secure algorithms also require more memory to run, leading to less effective parallelization.
Besides, MD5 is prone to collisions, which reduce the number of attacks needed. The attacker doesn’t need the real password, just one that hashes to the correct value.
While they did do a more sophisticated dictionary attack, they also talk about rainbow tables, which only work if the hashes are unsalted. A more modern approach with salted passwords is immune to rainbow table attacks. An actually modern approach with salted and peppered Argon2 hashes makes the kind of offline attack Kaspersky did unfeasible in the first place.
For some reason Kaspersky never bothered to point this out. I’d expect a reputable cybersecurity company like them to at least include one line that urges developers to make use of a modern approach and gives pointers as to what that might be. But I suppose “we recommend passwords to be salted, peppered, and hashed with Argon2i or Argon2id with a sufficiently high work factor” wouldn’t fit their narrative.
(I also just noticed that the advice part of Kaspersky’s article is littered with references to the password manager they sell. Yep, it’s an underhanded ad that just happens to contain some good security advice.)
Eh, sorry, but you cannot crack hashes. At best you can come up with a strong that generates the same hash, but finding the exact original value won’t happen, that’s not how hashes work, that is not how anything works.
Each hash output value in principle can have an infinity of different inouts that lead to that output. Because of that, hashes are a one way street
Having said that, are you telling me that a properly salted hash using a modern algorithm like argon2id, or just even plain sha256, can be “cracked” in 14 days? I’m going to go ahead and say “no”
If you can generate an input which satisfies an md5 comparison which results in being able to authenticate with a system, then I think debating if that is a “crack” or not is purely semantic.
Although you are for sure technically right, I think any actually observed md5 collisions are with very large inputs, many orders of magnitudes longer than a password. The smallest input (first found, almost certainly) is almost certainly what the original password was.