Aaron Saray

open source programmer,
web developer

entrepreneur, author
and musician

My Blog

contains PHP, Web and business/entrepreneurial related content. Please join in the conversation!

Disable md5 now – or you will die

Posted on February 19, 2009 by Aaron

I remember a while ago hearing about a few theoretical collisions of the md5 algorithm, but I thought nothing of them. Now, as more information emerges, Microsoft is issuing advisories, and people are proving more and more collisions with example code, and even md5 is out of vista, I figure its time to remind everyone not to use md5.

What should I do?

First of all – lets use sha1 instead – equally as easy of a function to use – but much more secure.

?View Code PHP
1
echo sha1('test');

Output:

a94a8fe5ccb19ba61c4c0873d391e987982fbbd3

Next, disable it in php using disable_functions in your php.ini

php.ini excerpt

disable_functions = md5

Finally, don’t accidentally use it in your db ;)

This entry was posted in PHP, security and tagged , . Bookmark the permalink.

One Response to Disable md5 now – or you will die

  1. James Rodenkirch says:
    February 19, 2009 at 12:18 pm

    Interesting article. I agree with you that md5 should not be used for securing data because of the possibilities of collisions etc, but there are many other uses for md5 hashes.

    If you need to convert some data to a hash, use sha1 or encrypt it with mcrypt. If all you need is a hash for a temporary unique id, md5 is just fine.

    I wouldn’t just stop using it altogether.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>