0

Are passwords that are longer than 128 bits useless if they get hashed/transmitted with MD5?

MD5 always uses 128 bits, thus someone would rather try to bruteforce the MD5-hash than the password itself or a password longer than 128 bits would create collisions that create the same MD5 of a password shorter than 128 bits.

Am I missing something?

Peter Mortensen
  • 885
  • 5
  • 10
Swizzler
  • 109
  • 3
  • 1
    What does a 128bit password look like? Are there collisions if you take a MD5 hash of 1MB files? – schroeder Jan 20 '18 at 21:35
  • I think 128 bit log passwords have much less entropy - passwordpassword have length of 128 bits in UTF-8 but it probably is at the beginning of dictionary. Since usually you need to limit yourself to subset of ASCII you probably get at most 6 bits or so of entropy per octet (64 characters) giving you at most 96 bits of entropy in 16 character password. – Maciej Piechotka Jan 21 '18 at 04:54
  • *a password longer than 128 bits would create collisions that create the same MD5 of a password shorter than 128 bits* I'm pretty sure there are plenty of pairs of passwords <128bits that still create collisions. You do not need a longer password to create a collision. In order to achieve that MD5 should have the property that MD5 on a password <= 128 bit always yield a different hash, which means that MD5 would be a reversible function if restricted to that set of passwords. I don't think that this is the case. – Bakuriu Jan 21 '18 at 07:16

1 Answers1

7

First, using a simple MD5 hash to protect a password is a bad idea from start. See How to securely hash passwords? for details.

Apart from that, you assume that a 128-bit password would have the same strength as the 128-bit MD5. This implicitly assumes that the 128 bits of the password are chosen randomly. This is usually not the case, i.e. passwords are commonly chosen to be memorable and memorizing 32-byte random data (or about 42 ASCII characters when encoded with base64) is not easily done.

By asking if passwords longer than 128 bits are useless since MD5 is only 128-bit you also assume that there is a 1:1 mapping between a 128-bit input and its 128-bit MD5 hash. I don't think that this is a property of MD5, i.e. you would need in some case (slightly) more than 128-bit input to generate a specific MD5 value.

But assuming that the password was actually 128 bit randomly chosen data, that the attacker has no access to the password but to the MD5 hash of it and that this MD5 hash is then used to validate the password - in this case the attacker would need to do a pre-image attack, i.e. find an input which matches the existing hash value. It turns out that this is actually slightly less complex than brute-forcing all possible passwords. According to Pre-image attack on MD5 hash from crypto.se the complexity to find an preimage is about 2123 which is slightly less complex than brute forcing everything ( 2128 for a full search, i.e. 2127 on average) but still not easily doable.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
  • 1
    I would suspect it is implementation dependent - you can make md5 hashes of files of 128 million bits, why would the same not apply to passwords unless the implementation forces that? – rackandboneman Jan 21 '18 at 01:34
  • @rackandboneman: I don't understand your comment and which parts of the answer it relates too. – Steffen Ullrich Jan 21 '18 at 05:14