[clug] MD5 of an MD5 checksum

Ian McCulloch ianmcc at lorentz.leidenuniv.nl
Fri Mar 12 13:34:47 GMT 2004


On Sat, 13 Mar 2004, Jepri wrote:

> Hi Leigh!
> Leigh Makewell wrote:
> >   Or more specifically they generate a random 3 character salt and 
> > then do an md5(md5(password)+salt)
> >
> > As far as I can tell this is in no way more secure than just doing an 
> > md5 of the password, and I have a nagging feeling that it's actually 
> > less secure (although maybe the random salt overcomes that problem)
> It is slightly more secure, in the same way that choosing your password 
> to be 'Leigh1234' is slightly more secure than choosing 'Leigh' as your 
> password.
> You are probably remembering a monograph by Bruce Schneir on why not to 
> trust amateur crypto implementations because doing things like repeating 
> a cipher can weaken it.   I can't find a link right now.  How annoying, 
> I've read it about ten times...
> In this case you should be OK, because MD5 is a hash (a one way 
> function), and not a cipher (a reversable algorithm).

That is correct, applying a cryptographic hash twice should never weaken 
it (if it did, then the secret police could just apply it again themselves 
to assist in breaking your keys).  OTOH, if the hash is any good, then it 
won't strengthen it either.

> >
> > Can anyone think of any reason to do it this way? (Apart from 
> > completely making their system incompatible with anything else)
> MD5 should be secure enough on its own.  I base this suggestion on the 
> observation that a number of knowledgable and paranoid people use it.

Hashing a second time with a random salt looks like an attempt to thwart 
dictionary attacks.  ie, precomputed MD5 hashes of a (very) large table 
of possible passwords.  Apparantly you can use a similar scheme to break 
NT passwords in a few seconds/minutes ;-)


More information about the linux mailing list