BrianBosworth
08.06.12, 03:14
The MD5 password hash algorithm is “no longer considered safe” by the original software developer, a day after the leak of more than 6.4 million hashed LinkedIn passwords.
The original author of the MD5 password hash algorithm has publicly declared his software end-of-life and is “no longer considered safe” to use on commercial websites.
This comes only a day after a data breach led to 6.46 million LinkedIn hashed passwords leaking to the Web. Since the data breach, thousands of passwords, including many that could be considered strong, have been decrypted, either through brute force or through lookups. The primary cause is LinkedIn’s failure to properly ’salt’ the hashed passwords using SHA-1 algorithm. MD5 is a password hashing algorithm similar to that of SHA-1.
Danish developer Poul-Henning Kamp, who developed the widely used MD5 password scrambler, said that limitations to his software and a corresponding increase in computing power since its initial release has rendered his algorithm obsolete.
“I implore everybody to migrate to a stronger password scrambler without undue delay,” he wrote in a blog post.
“All major Internet sites, anybody with more than 50.000 passwords, should design or configure a unique algorithm — consisting of course of standard one-way hash functions like SHA2 etc — for their site, in order to make development of highly optimized password brute-force technologies a ‘per-site’ exercise for attackers.”
Right after this incident happened, Last.fm and Eharmony suffered a data breach as well.
MD5 password scrambler 'no longer safe' | ZDNet (http://www.zdnet.com/blog/security/md5-password-scrambler-no-longer-safe/12317)
Last.fm, eHarmoney Passwords stolen as well (http://www.ghacks.net/2012/06/07/last-fm-eharmoney-passwords-stolen-as-well/)
The original author of the MD5 password hash algorithm has publicly declared his software end-of-life and is “no longer considered safe” to use on commercial websites.
This comes only a day after a data breach led to 6.46 million LinkedIn hashed passwords leaking to the Web. Since the data breach, thousands of passwords, including many that could be considered strong, have been decrypted, either through brute force or through lookups. The primary cause is LinkedIn’s failure to properly ’salt’ the hashed passwords using SHA-1 algorithm. MD5 is a password hashing algorithm similar to that of SHA-1.
Danish developer Poul-Henning Kamp, who developed the widely used MD5 password scrambler, said that limitations to his software and a corresponding increase in computing power since its initial release has rendered his algorithm obsolete.
“I implore everybody to migrate to a stronger password scrambler without undue delay,” he wrote in a blog post.
“All major Internet sites, anybody with more than 50.000 passwords, should design or configure a unique algorithm — consisting of course of standard one-way hash functions like SHA2 etc — for their site, in order to make development of highly optimized password brute-force technologies a ‘per-site’ exercise for attackers.”
Right after this incident happened, Last.fm and Eharmony suffered a data breach as well.
MD5 password scrambler 'no longer safe' | ZDNet (http://www.zdnet.com/blog/security/md5-password-scrambler-no-longer-safe/12317)
Last.fm, eHarmoney Passwords stolen as well (http://www.ghacks.net/2012/06/07/last-fm-eharmoney-passwords-stolen-as-well/)