Some Companies Are Still Storing Passwords With MD5 and Unsalted!
In the car industry, if you find out that something is truly unsafe, you recall the car and replace the component with something that fixes the vulnerability. But, in cybersecurity, well, for some reason — in places — we just never learn. One area of cybersecurity is the cryptographic naughty step — and on that step is the MD5 hashing method. It shares its position with another hashing method (SHA-1) and with the symmetric key encryption methods of DES and RC4. These methods should never really be seen in a production environment and should be long since gone.
To use ever use MD5 for hashing passwords is the equivalent of driving without a seat belt. Overall, it has 128 bits for a hash, and where it is not only possible to crack the hash, but it is possible to create a hash on a program or a document that still makes it valid. To give an example, it is relatively easy to take the Putty executable and insert a backdoor into the program, and then still end up with the same valid MD5 hash. It is basically as bad as it gets in cybersecurity.
But, Électricité de France (EDF) has just been finded EUR 600,000 by CNIL (Commission Nationale de l’Informatique et des Libertés) [here]. One of the rulings related to Sur le manquement à l’obligation d’assurer la sécurité des données (failure to store data securely). Along…
