Link to home
Start Free TrialLog in
Avatar of Precision
PrecisionFlag for United States of America

asked on

What is a hashed password and/or MD5?

Apparently, Yahoo was hacked and I received a data breach notification to my yahoo account saying:
For potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.

What is a "hashed password"? What is MD5?
ASKER CERTIFIED SOLUTION
Avatar of Paul MacDonald
Paul MacDonald
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Just a minor addition....   the key to the hashing is that it is not easily reversed (with such exceptions as paulmacd mentioned).  That's contrary to what we usually see in math.  For example, if I just multiplied a number by some specific number, you could easily get back to the original number by dividing by the specific number.  Not very secure!

With hashing, reversal generally isn't practical.  You will typically find that if you've lost your password, systems can't find it for you; they can just let you create a new one.  This is because they don't HAVE your password, just the hash.
Avatar of btan
btan

Hashed password - in general means password is not in its plain text format. It is obscured such that attempt to reverse the hashed password is non trivial. However brute force to attempt finding the original password may still be possible..typically there should be account lockout to prevent multiple attempts.

MD5 - it is one of the hashing algorithm. It is represented normally in a string making up of 16 HEX decimal ('A' to 'F or '1' to '9') characters. A caution on this algorithm us that it is weak and have been proven brute force is possible.

The more secure mean of storage should mentioned Salted hash and using SHA 2 algorithm. They are a stronger scheme to protect password and add more deterrences to brute force attack.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Another nice link with the explanation and more
MD5

Originally designed as a cryptographic hashing algorithm, first published in 1992, MD5 has been shown to have extensive weaknesses, which make it relatively easy to break.

Its 128-bit hash values, which are quite easy to produce, are more commonly used for file verification to make sure that a downloaded file has not been tampered with. It should not be used to secure passwords.

But what about the passwords?
If a password is properly hashed using SHA-2 or newer, and is salted, then to break a password requires a brute-force attack.

The longer the password, the longer the brute-force attack is going to last. And the longer the brute-force attack required, the more time-consuming and expensive it is to match the hash and discover the password.

Which means the longer the password the better, but the configuration of the password also makes a difference. A truly random eight-character password will be more secure than a eight-letter dictionary word, because brute-force attacks use dictionaries, names and other lists of words as fodder.
https://www.theguardian.com/technology/2016/dec/15/passwords-hacking-hashing-salting-sha-2