Weak Hashing Mistakes: MD5, SHA-1, and Unsalted Hashes in Production
The most common hashing mistakes found in production code, why they're exploitable, and how to migrate to stronger algorithms.
Published:
Tags: security, hashing, mistakes
Weak Hashing Mistakes: MD5 and SHA-1 for Password Storage The most dangerous thing about MD5 for password storage is not that it is theoretically broken — it is that it is extraordinarily fast. Modern GPUs compute tens of billions of MD5 hashes per second. An attacker with a leaked MD5 password database can try every combination of 8 lowercase letters in under a minute. This is not a theoretical risk; it is a routine operation that makes MD5 password databases effectively plaintext. The Speed Problem Password hashing is unique in cryptography: you want it to be slow. Every other hash use case prioritizes speed (file checksums, HMACs, digital signatures). For passwords, speed is the enemy. Real GPU Benchmarks With hashcat hashcat is the standard tool used by both security researchers and…
All articles · theproductguy.in