Why MD5 is Broken

Broken Beyond Repair

MD5 (Message Digest Algorithm 5) was designed by Ronald Rivest in 1991 and quickly became the most widely used hash function on the internet. It was used everywhere: password storage, file integrity verification, digital signatures, and software checksums. However, MD5 has been comprehensively broken since 2004, when Xiaoyun Wang demonstrated practical collision attacks that could be executed on a standard laptop in seconds.

The severity of MD5's weakness was demonstrated dramatically in 2008, when researchers used an MD5 collision to forge a rogue Certificate Authority certificate. This meant they could issue fraudulent TLS certificates for any website on the internet, completely undermining HTTPS security. The Flame malware, attributed to nation-state actors, exploited a similar MD5 collision to forge Windows Update certificates, allowing it to spread through Microsoft's own update mechanism.

MD5 must never be used for any security purpose. It should not be used for password hashing, digital signatures, certificate verification, or integrity checking of security-sensitive files. The only acceptable modern use of MD5 is as a non-security checksum for detecting accidental data corruption during file transfers, and even for that purpose, faster alternatives like xxHash or CRC32 are preferred.

Everyday Example

Imagine a fingerprint system used to identify people at a border crossing. MD5 is like a fingerprint scanner so crude that two completely different people can produce the same fingerprint reading. A criminal could walk through border control with a forged identity, and the scanner would confidently confirm they are the legitimate person. You would never trust such a scanner for security, yet MD5 is still found in legacy systems worldwide.

The Deep Mathematics

MD5 produces a 128-bit digest through four rounds of 16 operations each (64 total). Wang's differential cryptanalysis attack identifies specific bit differences in input blocks that propagate predictably through MD5's compression function. Modern collision generators produce colliding message pairs in under one second on consumer hardware. The attack reduces collision complexity from the theoretical 2⁶⁴ (Birthday Bound) to approximately 2¹⁸ compression function evaluations, making MD5 collisions trivially inexpensive.