In addition to its common use for generating hashes used to verify the integrity of a downloaded file, the MD5 algorithm is also used widely for password authentication systems. It became the most common Unix password hash algorithm in the 1990s, in fact, and many Unix-like systems still default to MD5 for generating password hashes for purposes of backward compatibility.
Unfortunately, MD5 is not a good password hash algorithm. The first major MD5 weakness was discovered as long ago as 1996. Since then, cryptographers have generally recommended the use of other algorithms, such as SHA-1 and Blowfish.
The problem with the MD5 hash algorithm is that it suffers from a collision weakness. This means that someone could generate two separate inputs that both produce the same hash output from the MD5 algorithm. There are some significant negative security implications for this. For instance, someone could create two files that produce the same cryptographic hash, one of which appears to be innocuous and the other of which matches the hash of the first but in some way defrauds or attacks someone who expects the innocuous message and uses the hash to verify it.
Because downloading software involves an implicit trust in the provider of the software in the first place, the potential for abuse in file verification hashes is very slim. Because you do not get to choose the inputs that will match a given hash, you cannot simply generate two versions of a program -- one that is benign and one that is malign -- and use that to slip malware past someone's defenses while providing an MD5 hash for verification that both software files match.
On the other hand, because in authentication systems a password's only function is to produce a given hash, and circumventing the security of the authentication system does not require tricking a human being into believing a second input to a given hash is the same as the first, the security implications of a hash algorithm's collision weakness can be far greater than in the case of verifying a file download. For instance, offline brute force attacks to crack password authentication systems in many cases generate passwords and compare them to a local copy of the password's hash. When a password that authenticates successfully is found, it can be used to authenticate on the target system. Because more than one password may work for the same MD5 hash, then, that can make a brute force attack much faster and easier.
The solution to this problem, of course, is to use a cryptographic algorithm that does not have this sort of collision problem. As I already mentioned, SHA-1 was recommended as a better choice than MD5 for many years. Unfortunately, as of 2005, it has been determined that SHA-1 also appears to suffer from a collision weakness.
Most modern Unix-like systems offer means of implementing the password authentication system with one of several hashing functions as its basis. Not only is the system designed to give a choice of algorithms, but it also provides a means of extending the capabilities of the system to incorporate still more choices as technologies evolve. This modularity of the password authentication system on such Unix-like OSes is an important advantage for those who need secure systems, because it allows us to alter the default behavior of the system as needed to keep up with the changing threat landscape of our increasingly networked world. As old cryptographic algorithms become obsolete or are discovered to have cryptanalysis weaknesses, newer and stronger algorithms can be substituted for them to ensure continued system security without requiring sometimes costly migrations to newer system architectures.
Most modern Unix-like systems still default to MD5, but for instance both FreeBSD and Debian GNU/Linux allow you to easily choose from among MD5, DES, and Blowfish. Blowfish, a symmetric block cipher created by Bruce Schneier in 1993, is generally believed to be the strongest of the three, and should be your cryptographic algorithm of choice for authentication on most Unix-like systems at this time. In fact, Blowfish was created as a replacement for DES, and there are no known cryptanalysis weaknesses in the Blowfish cipher.
It is incredibly easy to change your password authentication system's cryptographic function from the default MD5 to Blowfish on FreeBSD:
- First, edit the file /etc/login.conf so that the line reading :passwd_format=md5:\ now reads :passwd_format=blf:\ instead.
- Next, rebuild the login database with the command
> cap_mkdb /etc/login.conf
- Finally, edit the file /etc/auth so the line crypt_default = md5 now reads crypt_default = blf. Make sure the line is not commented out after editing it, by deleting the # at the beginning of the line.
Once you have done that, you should change your passwords. The new passwords will be stored using the Blowfish cipher, rather than the MD5 algorithm. Until you use the passwd command to change your passwords, all the old passwords will still use the MD5 hash.
On Debian GNU/Linux, switching from the default MD5 algorithm to Blowfish is slightly more work, but still not terribly difficult to accomplish:
- First, install the libpam-unix2 module. That can be done simply via APT, Debian's software management system, using the command
# apt-get install libpam-unix2
- Next, edit /etc/pam.d/common-auth, /etc/pam.d/common-account, /etc/pam.d/common-session, and /etc/pam.d/common-password so that in each file you replace pam_unix.so with pam_unix2.so.
- Finally, while you are editing the common-password file, change the term md5 so that it reads blowfish instead.
For each of these files, make sure you remove comment characters (again, the # sign) from the beginnings of lines that you have edited. Just as with FreeBSD, you will still be using your old passwords with MD5 hashes until you use the passwd command to change your passwords, at which point the new passwords will use the Blowfish cipher instead.
The same can be done with other OSes such as Fedora Core Linux, though of course the procedure varies between operating systems. OpenBSD defaults to Blowfish rather than MD5.
One of the benefits of free/open source Unix-like systems is their flexibility -- the ability of the user to configure them to suit individual needs. This means that, as the state of the art in cryptographic hash generation advances, you will probably some day be upgrading from Blowfish to yet another algorithm such as Twofish (its successor) or AES.
Cryptography is a constant arms race, in which malicious security crackers are always trying to come up with new ways to subvert the effectiveness of cryptographic algorithms while the "good guys" are always trying to find the weaknesses first to fix them, and trying to come up with new, even stronger algorithms. It is unlikely that a truly invulnerable cryptographic algorithm will ever be developed; the best we can hope for is an algorithm that is so difficult to crack with current technology that nobody will crack it for as long as we use it.
Because MD5 and SHA-1 both have significant weaknesses, and DES is vulnerable to brute force attacks thanks to its 56-bit key, they should be avoided for password authentication systems. Because Blowfish is so widely available for use in password authentication systems, and has no known cryptanalysis weaknesses, it is in your best interest to ensure that you make sure your Linux and BSD Unix systems employ the Blowfish cipher to secure password authentication.