Check out the new USENIX Web site. next up previous
Next: Attacks and Vulnerabilities Up: Comparison Previous: Traditional crypt

MD5 crypt

MD5 crypt was written by Poul-Henning Kamp for FreeBSD. The main reason for using MD5 was to avoid problems with American export prohibitions on cryptographic products, and to allow for a longer password length than the 8 characters used by DES crypt. The password length is restricted only by MD5's maximum message size of 264 bits. The salt can vary from 12 to 48 bits.

MD5 crypt hashes the password and salt in a number of different combinations to slow down the evaluation speed. Some steps in the algorithm make it doubtful that the scheme was designed from a cryptographic point of view--for instance, the binary representation of the password length at some point determines which data is hashed, for every zero bit the first byte of the password and for every set bit the first byte of a previous hash computation.

The output is the concatenation of the version identifier ``$1$'', the salt, a ``$'' separator, and the 128-bit hash output.

MD5 crypt places virtually no limit on the size of passwords, while bcrypt has a maximum of 55 bytes. We do not consider this a serious limitation of bcrypt, however. Not only are users unlikely to choose such long passwords, but if they did, MD5 crypt's 128-bit output size would become the limiting factor in security. A brute force attacker could more easily find short strings hashing to the same value as a user's password than guess the actual password. Finally, like DES crypt, MD5 crypt has fixed cost.


next up previous
Next: Attacks and Vulnerabilities Up: Comparison Previous: Traditional crypt
Niels Provos and David Mazieres
4/28/1999