It was an eye brow raising status update when my good friend @simonsky said that md5 is dead. He went on to support his claims by giving examples as to why he believed so. Lets start by doing some groundwork. What exactly is md5 and why would it raise eyebrows among learned friends? In Order to answer this question I will have to do a bit more explaining.
Whenever a user visits a website where they have to create an account, the details they enter are saved in a backing store, popularly called the database. Its best practice and the convention to save passwords in a hashed format. That is, the passwords should never be in plain text. For instance if i have typed password1234 as my password(quite lame), that password should not be stored as the way I type it. So in comes hashing. Hashing simply involves taking a chunk of data in this case the plain text password and replacing it with a bit string usually called the hash value. Any change in the original data however minimal results in the complete change of the resulting hash value. This is called the Avalanche effect.
Hashing is performed using hashing algorithms and there exists various implementations of the algorithms in various programming languages. Irrespective of the programming language used, the resulting hash should be the same. One of the algorithms which have been around since the early days is md5. Its implementation is quite simple especially in php as its implemented as a function which takes in a string variable and returns a string hash.
<php?
$hash = md5(“password1234”)
?>
Now that its clear what md5 is lets get back to what @simonsky said. His examples showed that it was possible to reverse md5 hashes back to the original string. This is not possible.Its not possible to reverse a cryptographic hash in practice. However there have been theoretical explanations of how an md5 hash can be reversed. These are however only theoretical and practical implementations aren’t possible since it involves using computers with mega powers and still would take more than 100 years!
Besides these so called hash reversing websites don’t really dont any computations. They use a concept referred to as dictionary hacking a.k.a brute force attack. It simply involves trying out all the possible passwords from a list of words. These dictionaries are mostly implemented in English or one of those mainstream languages. So I went on and tried to see how localized they could get in their md5 hash reversing mechanisms.
md5(“changeme”) = “4cb9c8a8048fd02294477fcb1a41191a”
I went on to decrypt the generated hash
Not bad. the original text has been produced. Now lets try the conventions. Conventions specify that a password should have a combinations of alphanumericals and symbols.
md5(“password453!”) = “3d6789ba3ea390a9da79c7c631b6e1c9”
A decryption of this gives.
Using password convention is a bit painful but saves alot of pain as seen above. Now lets see what happens with those who love vernacular.
In Kikamba mwende is a common name. Do they have in their dictionary yet?
md5(“mwende”) = “f3c8e05a28650b1bf42179ba64b0d1b9”
Seems like Kamba is popular than I thought. But then again to use a single word is a bit lame and shows one has not mastered the language quite well.
md5(“mwendewitu”) = “d8fdf78743bd859fd42cc27dc2938594”
This means “our mwende”. Do they know that?
Can’t beat that.
The moral of this story is not about which vernacular word is awesome to write. This muse seeks to point out that system security and convenience cannot be used in the same sentence. A little bit of inconvenience is required and from the tests above its clear that if one can’t combine alphanumerics and symbols in their passwords then they might as well combine two vernacular words. It also seems to show that using simple passwords cannot be blamed on the hashing algorithm used whether md5 or sha1.