Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple APILearn More
I'd say retarded.
Applying MD5 reduces your input from a string of arbitrary length and with a limited character set,
To a fixed size byte-array with all 256 ANSI characters.
Furthermore, since MD5 is collision prone, certain byte sequences would probably appear more often then others, so that would reduce the input-set even further.
Generally, you can ask yourself, "if it were that easy or obvious in a well known problem domain, wouldn't others have tried it already?" Usually the answer is yes, there's not many trivial Nobel prize lying around.
Just flag the old hash passwords with an extra column denoting legacy, reencrypt them with Argon2 and update your password decrypter. When the user logs in successfully, reencrypt the raw password with Argon2 and remove the legacy flag. Takes less time than trying to solve an X prize problem.
@SortOfTested oh no don't get me wrong, this wasn't a "holy shit I am smarter than everyone" kind of thought, it's essentially more of a question as to why not and what are the issues with that
my knowledge of encryption is minimal and I know for sure I'd never come up with something smarter than what's out there
Root836593yIn addition to the other reasons already posted here, MD5 is also a very fast algorithm, which is terrible for security due to the sheer number of guesses you can try each second.
This plus the aforementioned collision issue means an attacker would be able to break your passwords quite quickly -- especially if they're unsalted. I'd estimate maybe a couple of days to crack the entire DB's worth on a nice 2080; less if you know the length and character ranges.