Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How secure is MD5 and SHA1

Tags:

md5

sha

Hey just a simple questions, as im tryng to understand a bit more on Hash functions, I know how they work and what they do but how secure are they?

I would appreciate a simple answer not links as I never find them useful.

like image 710
user2160949 Avatar asked May 23 '13 12:05

user2160949


People also ask

Is MD5 or SHA-1 more secure?

To conclude, MD5 generates a message digest of 128-bits, while SHA1 generates a message digest of 160-bit hash value. Hence, SHA1 is a relatively complex algorithm and provides better security than MD5.

Why is SHA-1 more secure than MD5?

Although slower, SHA is more secure than MD5 due to a variety of reasons. First, it produces a larger digest, 160-bit compared to 128-bit, so a brute force attack would be much more difficult to carry out. Also, no known collisions have been found for SHA.

Is MD5 considered secure?

Although originally designed as a cryptographic message authentication code algorithm for use on the internet, MD5 hashing is no longer considered reliable for use as a cryptographic checksum because security experts have demonstrated techniques capable of easily producing MD5 collisions on commercial off-the-shelf ...

Why is SHA-1 no longer secure?

SHA-1 is prone to length extension attacks. Since 2005, SHA-1 has not been considered secure against well-funded opponents; as of 2010 many organizations have recommended its replacement. NIST formally deprecated use of SHA-1 in 2011 and disallowed its use for digital signatures in 2013.


1 Answers

With nowadays technology, both can be cracked. There are also hash dictionaries that help find what a hash means for short strings.

If they are secure or not, highly depends on what you want to protect. If you are building an online banking system, they are not recommended at all (depending where in the online banking system they come to use). If you implement them just for online user password hashing, for example, it also depends on: is you website worth cracking, how many users you have, etc.

A general advice, is to first study the level of security you want to achieve in you scenario and decide what technologies (in this case hashing) you use. There is also no 100% security. Also don't invest too much time into one security issues and ignore others which might not be as obvious or technical (human errors, security by obscurity, human engineering).

Check this out:

  1. generate the hash for a small word here. For example, password has the MD5 hash: 5f4dcc3b5aa765d61d8327deb882cf99
  2. now go here and ask back for the text.

The above example is just one of many (dictionary attack) possible way to crack them. Also the wikipedia articles of each security algorithms gives you a list of vulnerabilities.

ALSO SEE:

  • Is MD5 less secure than SHA et. al. in a practical sense?

SIDE NOTE

Never let websites generate a hash for a real password that you have (in case you need it somewhere for testing or other reasons). Always use test passwords, or generate hashes on your local machine. People building hash databases (hackers or not), also provide online hash tools for capturing hashes.

like image 102
4 revs, 2 users 76% Avatar answered Oct 05 '22 05:10

4 revs, 2 users 76%