I still frequently see MD5 and SHA1 being used "because the output is smaller th... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

jedisct1 12 months ago | parent | context | favorite | on: Hash collisions and exploitations (2019)

I still frequently see MD5 and SHA1 being used "because the output is smaller than other hash functions and we only need a unique identifier". There's also a belief that an implication is that these functions are faster.

While a 128-bit output is indeed perfectly fine for most applications, MD5 and SHA1, in addition to being affected by practical attacks, are slow compared to SHA256, BLAKE, etc. Most importantly, it's perfectly fine to truncate the output of a cryptographic hash function to any length. So, if you need a 128-bit hash, just use SHA256 and truncate the output to 128 bits. This is faster than MD5 and more secure (even against length extension attacks).

Retr0id 12 months ago [–]

I thought SHA256 was only faster than MD5 with the right hardware acceleration features present, which are common, but not ubiquitous?

I agree on the BLAKE front, though - and I agree with your overall point, there is no good reason to use MD5 or SHA1 anymore.

Consider applying for YC's Spring batch! Applications are open till Feb 11.
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact