Been wondering about something and can't figure out if I am a retard or a genius 😂.

If MD5 is so outdated and should not be used to store password hashes (let's say for whatever reason you cannot effectively switch to another algorithm) wouldn't it just be easier and more secure to just re-encrypt the hash again, so just MD5 the MD5 hash... in theory, wouldn't that make the hash virtually uncrackable because instead of trying to brute force actual real words, you now have a hash of essentially random characters which have no relation to the others, and even then, suppose you manage to crack the hash, you will get another hash to crack before getting to the password?

  • 5
    I'd say retarded.
    Applying MD5 reduces your input from a string of arbitrary length and with a limited character set,
    To a fixed size byte-array with all 256 ANSI characters.
    Furthermore, since MD5 is collision prone, certain byte sequences would probably appear more often then others, so that would reduce the input-set even further.
  • 1
  • 3
    Generally, you can ask yourself, "if it were that easy or obvious in a well known problem domain, wouldn't others have tried it already?" Usually the answer is yes, there's not many trivial Nobel prize lying around.

    Just flag the old hash passwords with an extra column denoting legacy, reencrypt them with Argon2 and update your password decrypter. When the user logs in successfully, reencrypt the raw password with Argon2 and remove the legacy flag. Takes less time than trying to solve an X prize problem.
  • 0
    @SortOfTested oh no don't get me wrong, this wasn't a "holy shit I am smarter than everyone" kind of thought, it's essentially more of a question as to why not and what are the issues with that

    my knowledge of encryption is minimal and I know for sure I'd never come up with something smarter than what's out there
  • 2
    In addition to the other reasons already posted here, MD5 is also a very fast algorithm, which is terrible for security due to the sheer number of guesses you can try each second.

    This plus the aforementioned collision issue means an attacker would be able to break your passwords quite quickly -- especially if they're unsalted. I'd estimate maybe a couple of days to crack the entire DB's worth on a nice 2080; less if you know the length and character ranges.
Add Comment