Score:1

Is it possible to exploit MD5 weaknesses to create an artificial collision for a password?

sg flag

If it is possible, could an attacker create a collision for an MD5 password in a database? Could they look at an MD5 hash output and figure out data that creates the same MD5 hash?

Ievgeni avatar
cn flag
What do you mean by clash. Do you mean collision?
Practixal avatar
sg flag
Yes. I have heard clashing and collision but I wasn't sure which one to use.
Ievgeni avatar
cn flag
I suggest you to read definitions of one-wayness, second-preimage resistance, and collision resistance, and then to clarify your question. Because it's not clear for me what do you want to do.
Ievgeni avatar
cn flag
I think that the key-word is "second-preimage resistance" and nor collision neither preimage-resistance.
jp flag
A way to "look at an MD5 hash output and figure out data that creates the same MD5 hash" would be a first-preimage attack. A first-preimage attack can easily be converted into a collision attack (or a second-preimage attack), but the reverse is not true: a collision attack cannot (generally) be converted into either type of preimage attack.
Score:2
in flag

Generally no. To create a collision you should have control over the input of both calculations. To be precise, messages should be identical but for 128 bytes at a 64 byte boundary. The fact that most passwords are pretty short and do not consist of binary data is obviously not going to be of any help.

Even if the password is salted it won't give an adversary much grip; usually the salt is controlled by the service, and if it wasn't then it would still be tricky if not impossible to create a collision.

Finding an message for an existing hash requires a break in the pre-image resistance property. MD5 still has a high - but not perfect - pre-image resistance. The best attack on pre-image resistance takes more than $2^{123}$ operations. So that is entirely out of the question (and you'd find the original password, not another password in all likelihood).

Guessing the password is also possible of course, but that won't create a separate password with the same hash. There are multiple ways of speeding up the guesswork, e.g. using rainbow tables, but that's a separate topic.

fgrieu avatar
ng flag
Finding a message for an existing hash requires a break in the (first) pre-image resistance property, _or guessing the message_.
forest avatar
vn flag
Just because a password contains plain text and not binary data doesn't mean it's much harder to find a collision for. Of course, OP needs a preimage attack, not a collision attack...
kelalaka avatar
in flag
Note that the [memory complexity of the attack](https://link.springer.com/chapter/10.1007%2F978-3-642-01001-9_8) makes it worst than direct brute-force attack ffor MD5.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.