Passwords stored as an MD5 Hash are usually represented as a 32 character hexadecimal number. Modern computing power (GPU based) and known weakness makes MD5 a password storage function that is no longer secure.

An MD5 hash of the string password 5f4dcc3b5aa765d61d8327deb882cf99

Enter a hash below to have it compared against hashes from the rockyou.txt password list. These hashes are computed so rapidly that we guess millions of potential passwords within a few seconds.

More about MD5 Hashes

The MD5 hash can be used to validate the content of a string, for this reason is was often used for storing password strings. It is also commonly used to validate the integrity of a file, as a hash is generated from the file and two identical files will have the same hash.

Hashing functions such as MD5, SHA-1 and even SHA-256 / SHA-512 should never be used to store passwords as the the original password is relatively easy to find using brute force or word list based attacks with modern GPU’s.

Many people think that the fact the message digest algorithm is non-reversible makes it good for storing passwords. However the function is so fast that brute forcing the original string is quite possible and in many respects easy. With a modern gaming GPU it is possible to attempt billions of possible strings per second for an MD5 generated hash. That is a lot and when combined with large password lists users of the system will be having a bad day. Brute forcing is simply generating hashes from known strings to try to find a matching hash.

MD5 has for the most part had its day and is no longer a cryptologic-ally secure function as there are a number of attacks possible against it.

In this chart you can see the relative strength of the different simple hash functions that many people employ in web applications.

Hashcat benchmark was generated using an Intel i5 4950 processor with 4 cores. The cudaHashcat results were generated using my old NVIDIA Geforce GTX 560 graphics card.

Other than the mentioned straight comparison attacks against MD5, since 1996 there have been known cryptological weakness with the algorithm. In 2008, these were proven when a group of researchers revealed practical attacks that allowed the generation of SSL certificates that appeared to be legitimate.