18

Pretty much every guide, how-to, and reference for dealing with passwords and hashing has a warning in big or bold letters stating something along the lines of:

SHA-1 and MD5 are NOT secure and should not be used.

Fair enough, it's not much trouble to use SHA-256 or something else. But have there been any examples of said weaknesses actually being successfully used in an attack? Just how much weaker do these vulnerabilities make the algorithms?

leylandski
  • 291
  • 2
  • 6
  • 1
    Don't want to answer with a link but have you read this article?http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/ –  Nov 30 '15 at 15:20
  • 2
    You mean has anyone ever been *caught and reported* doing one of those attacks? The thing about certificate spoofing attacks or password cracking is that once you have a successful attack, it's in the hacker's best interest to remain undetected... – Mike Ounsworth Nov 30 '15 at 15:29
  • 3
    Neither MD5 nor SHAxxx is intended for passwords! Never use any of these algorithms for stored passwords securely. – Boris the Spider Nov 30 '15 at 17:20
  • SHA-1 and MD5 are insufficient in their bare-bone implementation. However, PBKDF2 is a modern hashing algorithm which uses a modified version of SHA-1 (HMAC-SHA-1) combined with a large amount of iterations. This makes it one of the current "safe" password hashing functions, alongside bcrypt and scrypt. – Nzall Nov 30 '15 at 17:22
  • Possible duplicate of [chosen plaintext attacks against MD5 and SHA1](http://security.stackexchange.com/questions/5182/chosen-plaintext-attacks-against-md5-and-sha1) – Mast Dec 01 '15 at 00:09
  • [evilize library](http://www.mathstat.dal.ca/~selinger/md5collision/) (not quite an actual attack though but shows how practical it is) – tangrs Dec 01 '15 at 04:46

4 Answers4

24

I'm not aware of any publicly known attack using collision in SHA-1, but MD5 collisions were probably used already 2010 within attacks. In 2012 it was discovered that a malware from the Flame attack had a valid signature from Microsoft, which was possible due to a MD5 collision attack. See http://blogs.technet.com/b/srd/archive/2012/06/06/more-information-about-the-digital-certificates-used-to-sign-the-flame-malware.aspx for more details.

As for using MD5 or SHA-1 with passwords: Simple hash some trivial password with MD5 or SHA-1 and then look up the hash with google. Example:

 password:   "secret"
 md5 (hex):  "5ebe2294ecd0e0f08eab7690d2a6ee69"
 sha1 (hex): "e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4"

The first hit on google for the MD5 hash presents you with the password, as does the first hit when searching for the SHA1 hash. Thus typical passwords can easily be detected as long as the hash is not salted.

Apart from that, even SHA-256 is a bad choice for passwords. These kind of hash algorithms are designed to be fast which only makes brute-forcing passwords easier. For more details about this topic see How secure are sha256 + salt hashes for password storage.

Community
  • 1
Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
  • 4
    I think the last paragraph is really the most important. If OP clearly states this SHA256 is being used for password. Better than nothing I suppose but scary nonetheless. – Boris the Spider Nov 30 '15 at 17:20
  • 1
    Security as a password hash is largely independent from security as a general hash (collision resistance is irrelevant for passwords, slowness is relevant). – Paŭlo Ebermann Nov 30 '15 at 21:09
13

MD5, in particular, is now considered cracked for a very good reason:

The MD5 hash collision attack that hijacked the Windows Update system back in 2012 was replicated with just 65 US cents worth of cloud computing fees

It took about 10 hour of CPU time to do the attack. This particular attack used a chosen prefix attack, which means you could format your data to prevent the attack from working, but the mere fact that this could be done declares that the security of your hashing is no longer found in the hashing algorithm, but in the data format you are hashing (which is a very poor place to put your security guarantees).

Cort Ammon
  • 9,216
  • 3
  • 26
  • 26
1

The flame malware used a forged Microsoft update signature that used MD5. The server in question had been neglected when it came to security updates and patches, and the creators of Flame (also known as sKyWIper) malware exploited this to pose their Command and Control servers as legitimate Microsoft update servers. It then infected computers with its modules, one of which was referenced as Flame in the source code, hence the name. The link to the report by the Crysys lab is here.

Ohnana
  • 4,727
  • 2
  • 24
  • 39
ThePracticalCryptographer
  • 59
  • 3
-1

SHA-1 absolutely has been successfully exploited in known attacks. Take a look at this excellent blog post on Whitehatsec's website exploiting the use of SHA-1 for URL signing requests https://blog.whitehatsec.com/hash-length-extension-attacks/.

As for password storage, I can speak from personal experience that it is trivial to crack SHA1 crypt linux hashes from LDAP/LDIF dumps using OCLHashcat. Current benchmarks of a single AMD 5970 gpu put bruteforcing nsldap ({SHA}) at 3418.0 M/s and nsldaps ({SSHA}) at 3401.1 M/s, which I've used to bruteforce hashes of 8 character passwords in hours using standard password masks.

Prandium
  • 1