MD5 password hashes are dead

Rainbow tables win, Kaspersky analyst recommends two factors for all

MD5 hashes, still a common method for securing login passwords, are no longer an adequate defence against hackers, according to Kaspersky Lab analyst Evgeny (Eugene) Aseev.

Aseev, who heads the company's China Anti-Virus Lab, dismissed MD5 hashes in a throw-away comment during an otherwise routine presentation on recent high-profile hacking incidents in Kuala Lumpur yesterday. He later confirmed his assessment to CSO Online.

"MD5 is not really enough now," Aseev said. Asked whether rainbow tables had won the battle against MD5, he agreed.

Rainbow tables had been used to crack passwords in the attack on H B Gary Federal by Anonymous earlier this year.

MD5 is a cryptographic hash function that takes a plain text input, such as a password, and returns a seemingly-random 16-byte number, called a "hash value". Authentication systems store the hash value rather than the original password. When a user logs in, the password they enter is processed through MD5 and compared with the hash value on file, allowing access if there's a match.

It is computationally difficult to work backwards and produce the original password from the hash value. In theory this means that it wouldn't matter if an attacker gained access to the stored password hashes.

However hackers now pre-compute the hash values for all possible passwords within a certain range using thousands of networked computers, storing them in multi-gigabtyte databases called rainbow tables.

Rainbow tables are readily available online, containing the MD5 hash values for all possible passwords up to eight characters long, provided they consist of nothing but letters in upper and lower case, digits and spaces, and all passwords up to ten characters long if they are nothing but lower-case letters.

In the H B Gary incident, both chief executive officer Aaron Barr and chief operating officer Ted Vera had been using passwords consisting of only six letters and two numbers -- and the problem was compounded when they used the same passwords for both their Google accounts and H B Gary's internal systems.

"Lots of fails in this story," Aseev said.

Cryptographers have also been warning against potential weaknesses in the MD5 algorithm since the middle of the last decade. MD5 "should be considered cryptographically broken and unsuitable for further use", wrote US-CERT in 2008. Nevertheless, MD5 hashes are still widely used in web applications.

Rainbow tables can be defeated by using much longer passwords, or passwords with added salt -- random bits added automatically to the user's password to extend its length -- although presumably these techniques will eventually be rendered useless by ever-larger rainbow tables.

Assev recommends using two-factor authentication, such as systems that require a separate hardware token or smartcard. He also recommends that users be forced to create complex passwords, and educated against reusing passwords or falling for social engineering tricks.


Stilgherrian travelled to Kuala Lumpur as a guest of Kaspersky Lab.

Join the CSO newsletter!

Error: Please check your email address.

Tags HB Garyhackersrainbow tablesMD5 hashesEugene Aseevauthenticationcryptographic hash functionkaspersky lab

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Stilgherrian

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts