Quote:
Originally Posted by Renate
MD5 itself is not the most brilliant algorithm and it's probably possible to find clashes pretty easily. But the Linux password algorithm MD5Crypt uses 1000 rounds of it, both to hide weaknesses and to make it 1000 times harder to calculate a "rainbow table". Of course time has caught up with this and a million would be a better number.
|
Hash collisions are a problem for general use, but much less so for authentication systems. For example, hardly anyone is going to care if a 10-character password collides with a 100K word novel in their auth system (except for the admin who has to clean up after someone pastes an entire novel into the password field and their system chokes).
And certainly, MD5Crypt has its weaknesses but so did 3DES which it replaced. And so, as expected, MD5Crypt is supplemented or entirely supplanted by stronger algorithms including Blowfish, SHA-256 and SHA-512. These in turn will be supplemented or supplanted by newer algorithms as time and tech progress.
And then the rise in use of multi-step verification (those authenticator apps, often mistakenly called multi-factor authentication). These don't fix the problems with passwords but they do make it more difficult for attackers to compromise. Though this in turn has lead to a rise in MFA/MSV fatigue attacks where an attacker spams the system until the victim hits "yes" or whatever on their app to get it to stop.
TOTP/HOTP apps are not multi-factor. A factor is a unique thing, commonly "something you know" such as your ATM PIN and "something you have" such as your ATM debit card. You cannot access your account without having both factors in your possession. These apps seem like something you have: your phone. But really, they're a variant of something you know since the seeds for these are entirely independent of the device -- they're information rather than the device itself. While multi-step is marginally weaker than multi-factor, it's still a big step up from plain login/password auth.