> MD5, SHA-1, SHA-256, SHA-512, et al, are not "password hashes." By all means use them for message authentication and integrity checking, but not for password authentication.
Bullshit. MD5 is just fine, as long as you use the salt.
Here, hack this:
MD5(password + salt) = "b520542710812f347432232b2a1fba83"
salt = "MD5 rules"
It will explain why "salts are useless for preventing dictionary attacks or brute force attacks."
The entire article is excellent - and every colleague who I've ever pointed at it, has come away nodding their head and seeing the light.
The key-takeway (but please, read the entire article) is:
"It doesn’t affect how fast an attacker can try a candidate password, given the hash and the salt from your database."
Salts only help you from precomputed dictionary attacks ("Rainbow Tables") - but, if someone is brute forcing you, the value of a salt just disappeared.
So here is a question that I've asked and received no good answer. Why size of the salt doesn't matter? Wouldn't salt be used in every hash computation? Wouldn't large (megabytes) salt slow down this computation and require more memory to perform it? I'm not advocating the use of large salt as opposed to specialized functions, I'm just curious as to why it doesn't work. The article doesn't explain that.
It's not that the size doesn't matter; it's just that it's not as significant. It becomes very, very hard to compute rainbow tables after just a few random bytes. No matter how long the salt is, it doesn't do anything to prevent somebody from trying to guess the original input for a given digest using a brute force approach, though. So usually the salt has less than e.g. 256 bits of entropy just because it takes up less space.
Sure, a very large salt might slow down the first iteration a little (but not necessarily subsequent ones, and it wouldn't require more memory, at least with most hash functions), so you're almost always better off just stretching the key--then you save the storage costs too.
MD5 is not fine. MD5 is very very fast[1] and as such it's possible to simply brute force password given relatively modest computing resources. The space of passwords just isn't that big.
Use bcrypt or scrypt. Don't make up your own crypto.
MD5 is 'fine' for very long passwords. How many of your users have very long passwords? MD5 does nothing to make it hard to blaze through billions of possibilities.
Bullshit. MD5 is just fine, as long as you use the salt.
Here, hack this: