Passwords stored as an MD5 Hash are usually represented as a 32 character hexadecimal number. Modern computing power (GPU based) and known weakness makes MD5 a password storage function that is no longer secure.
Enter a hash below to have it compared against hashes from the
rockyou.txt password list. These hashes are computed so rapidly that we guess millions of potential passwords within a few seconds.
More about MD5 Hashes
The MD5 hash can be used to validate the content of a string, for this reason is was often used for storing password strings. It is also commonly used to validate the integrity of a file, as a hash is generated from the file and two identical files will have the same hash.
Many people think that the fact the message digest algorithm is non-reversible makes it good for storing passwords. However the function is so fast that brute forcing the original string is quite possible and in many respects easy. With a modern gaming GPU it is possible to attempt billions of possible strings per second for an MD5 generated hash. That is a lot and when combined with large password lists users of the system will be having a bad day. Brute forcing is simply generating hashes from known strings to try to find a matching hash.
MD5 has for the most part had its day and is no longer a cryptologic-ally secure function as there are a number of attacks possible against it.
In this chart you can see the relative strength of the different simple hash functions that many people employ in web applications.
Hashcat benchmark was generated using an
Intel i5 4950 processor with 4 cores. The cudaHashcat results were generated using my old
NVIDIA Geforce GTX 560 graphics card.
Other than the mentioned straight comparison attacks against MD5, since 1996 there have been known cryptological weakness with the algorithm. In 2008, these were proven when a group of researchers revealed practical attacks that allowed the generation of SSL certificates that appeared to be legitimate.