[dba-Tech] Never use MD5 encryption

Ya, MD5 has been easy to crack for a little while and so is anything less than SHA-256. Ideally, if you are doing one way encryption of anything like passwords, you will want to make it as computationally complex as makes sense, because you want to make it as expensive for bad guys as possible to reverse it. For instance, don't just salt your passwords, but also perform whatever hashing function of your choosing many multiple times (some do it thousands of times). Not only does a baddie have to guess how many times you did it, but once they figure it out, they still have to waste valuable computational resources building a rainbow table and it's easy to make it so it is prohibitively expensive for them.

There are also cryptographic weaknesses in MD5, but that aside, it is still a very useful algorithm if you want to generate a quick hash for any sort of reason. For instance, if you want to generate a unique key based on some series of data. Just don't use it in any context where it is sensitive.

Best regards,
Hans-Christian Andersen


On 22 May 2012, at 17:44, "Jim Lawrence" <accessd at shaw.ca> wrote:

> If you still have databases out there that are using MD5 encryption, give
> your head a shake. It is so easy to crack it is nothing less than a joke.
> Some older versions of MySQL use to allow MD5 encrypted fields...worthless.
> 
> How is it is to crack an MD5 encryption scheme? Try the following encrypted
> value: 569a70c2ccd0ac41c9d1637afe8cd932 and go to site:
> http://www.md5hacker.com/
> 
> The current encryption standards are: PBKDF2
> http://en.wikipedia.org/wiki/PBKDF2
> 
> Or a relatively old but good method: BCRYPT
> http://bcrypt.sourceforge.net/
> 
> Or the latest boy on the block: SCRYPT
> http://www.tarsnap.com/scrypt.html
> 
> Jim
> 
> _______________________________________________
> dba-Tech mailing list
> dba-Tech at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/dba-tech
> Website: http://www.databaseadvisors.com