StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
text
Body
copied!<p>Short answer is that MD5(MD5(pw)) as password hash sucks because:</p> <ol> <li>You're not using a salt</li> <li>It's fast</li> </ol> <p>If you'd iterate MD5 not twice but a million times and you'd include a salt, it'd be a decent password hash.</p> <p>What matters very little are MD5's cryptographic weaknesses, since those don't apply to password hashing. In particular collision attacks don't matter here, an attacker needs to be able to pull off a first pre-image attack. Simply swapping MD5 for SHA-2 won't get you much either since it's still fast and unsalted.</p> <p>The right answer is to use a standard password hashing construction such as PBKDF2, bcrypt or scrypt.</p> <p>A few related questions:</p> <ul> <li><a href="https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords">How to securely hash passwords?</a></li> <li><a href="https://security.stackexchange.com/questions/19906/is-md5-considered-insecure">Is MD5 considered insecure?</a></li> <li><a href="https://stackoverflow.com/questions/348109/is-double-hashing-a-password-less-secure-than-just-hashing-it-once">Is “double hashing” a password less secure than just hashing it once?</a></li> </ul> <hr> <p>Hashing twice does fix one thing: It prevents length-extension attacks which work against all <a href="http://en.wikipedia.org/wiki/Merkle-Damgard_construction" rel="nofollow noreferrer">Merkle–Damgård</a> hashes. That's why some people advocate SHA256(SHA256(m)). But typically HMAC is a better choice on those situations, and this does not apply to password hashing.</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload