What is an insecure hash?
Well, what is a hash? Hashing refers to taking some input value, usually a password, and then producing a fixed length "fingerprint" from it. Unlike encryption where the original message can be retrieved, there is no (algorithmic) way of reversing a hash back to its original value.
An insecure hash vulnerability is a failure related to cryptography. Cryptography being the way we encrypt or hash data. By having an insecure hash there is a high chance that your data will be exposed. Something we don’t want as a business or as a customer!
As computing power is steadily increasing, hashes might get weak to brute force attacks. Let’s face it, computers are fast and there is a real possibility of an attacker using a tool to try different passwords until the right one opens up the vault to all our secrets! Hashes can also be insecure due to rainbow tables or hash collisions.
We should be aware of what hash algorithms are good to use and which ones are no longer perceived as secure. Insecure hash isn’t an attack but is a symptom of a larger attack. Many legacy systems still use MD5 as a hash function to store passwords. In this lesson, we’ll see why that is a bad practice.
About this lesson
During this lesson, we will learn what an insecure hash is and why exactly it is considered insecure. We’ll look at how an attacker can use a hash lookup table against our hashes to discover sensitive data. After that, we’ll learn how to create a secure hash and fix our vulnerability.
FUN FACT
MD5 hash algorithm
The MD5 hash algorithm was developed in 1991 and released in 1992. Only a year later, researchers were already finding flaws! However, it continued to be used and adopted by developers around the world. In 2005, it was officially deemed unsuitable, yet, in 2019, it was estimated that 25% of content management systems still use MD5!