1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

MD5 password = End of life

Discussion in 'Off Topic' started by Adam Howard, Jun 8, 2012.

  1. Adam Howard

    Adam Howard Well-Known Member

    CurveGotti and Dinh Thanh like this.
  2. Slavik

    Slavik XenForo Moderator Staff Member

    Xenforo uses SHA.

    MD5 has been defunct for years and as each generation of graphics card is released becomes even moreso.

    I've heard recent rumors of someone benching 4 cards crunching 100 BILLION md5 passwords a second.

    In laymans terms, that means an 11 character MD5 password with 3 upper case, 4 lowercase, 2 numbers and 2 special characters can be bruteforce cracked in under 2 hours.
    JVCode and TheVisitors like this.
  3. Adam Howard

    Adam Howard Well-Known Member

    What level? :cautious:
  4. Onimua

    Onimua Well-Known Member

    Jake explains it here.
  5. BlackJacket

    BlackJacket Well-Known Member

    TheVisitors likes this.
  6. Jake Bunce

    Jake Bunce XenForo Moderator Staff Member

    SHA256 is the default. It only uses SHA1 if SHA256 isn't available.
  7. Robbo

    Robbo Well-Known Member

    MD5 and many of the current password hashing techniques have been insecure for a long time. Salts also only protect against rainbow tables which are rendered pointless due to current GPU processing power.

    If someone got your hash and your password wasn't long and cryptic and they knew what you were doing then they would be able to crack it fairly fast.
    TheVisitors likes this.
  8. Lost

    Lost Well-Known Member

    Unsecure hashes are only a problem if an unauthorized person obtains access to the database. :whistle:
  9. Robbo

    Robbo Well-Known Member

    Exactly. But no one should rely on a hash being a last line of defence anymore. It is simply an inconvenience. Unless you use a new hashing method which for now can be safe.
    XenForo hashing is also unsecure.

  10. Forsaken

    Forsaken Well-Known Member

    Which isn't as difficult as people think.
    TheVisitors likes this.
  11. Lost

    Lost Well-Known Member

    But isn't as easy as some people try to make you think either...
    TheVisitors likes this.
  12. Naatan

    Naatan Well-Known Member

    To be clear, they will be able to calculate a string that hashes to the same value as your password, It's unlikely that they will crack your actual password and imposible if a salt was used.

    Anything can be brute-forced over time, these days it's more important simply to ensure they won't be able to crack your actual password, because obviously the hacker already had access to the database so they have absolutely no use what so ever for brute-forcing a string that matches the same hash as your actual password (for that particular site).

Share This Page