So Kaspersky found out that MD5 passwords are unsafe. That’s literally 20 year old news. Actually, Kaspersky found out that brute-forcing MD5 on consumer-grade hardware has become slightly faster than two years ago, which makes me wonder if Captain Obvious’s secret identity is that of a Kaspersky cybersecurity expert.

El Reg concludes from this that we should ditch passwords, which they back up with the opinion of a second expert. This expert immediately tells them they’re wrong, that passwords are perfectly fine if used with MFA, and that a lack of public knowledge about basic cybersecurity is the real issue. They somehow treat this as him agreeing with them.

Actual technological alternatives to traditional password use (such as passkeys or password managers with per-site passwords) are mentioned only as an aside or not at all. It never occurred to El Reg or Kaspersky to mention that MD5 has been considered obsolete since the days of Internet Explorer 7 and that more secure hashes like bcrypt have been around since the late 90s. For that matter, the Kaspersky source talks about rainbow tables without using the word “salt” even once.

Finally they conclude with a call to action to “improve that user security stack”, arguing that passwords are inherently unsafe due to their “complex requirements and hashed storage”. That’s so deep into la-la land that I’m not even sure what it is they’re trying to say or who they’re even talking to.

That’s an amazingly badly written article.

What impresses me the most is that the Kaspersky article they’re talking about is just as asinine as El Reg’s confused stammering. The most sense I can make out of it is that they’re making a bad faith argument (“we can brute-force MD5’d passwords with a 5090 so you should use MFA”) because they’re trying to get nontechnical people to do the right thing and hope they can scare them into compliance if they bullshit hard enough.

Edit: I just noticed how often Kaspersky’s article refers to the own password manager they sell. So their bad faith argument is really just in service of an ad that happens to contain some decent security advice.

Wow this article is kinda shit. MD5 was on the chopping block for password hashing over 20 years ago. It’s so seriously broken that if someone is using it they deserve to get bludgeoned to death with a Model M keyboard. We have purpose built solutions just for password hashing.

The only thing the fine bad article sorta got right was two factor. I say kinda because biometrics (something you are) isn’t that great of a second factor. Mainly because you can’t change it. Also, it’s a fuzzy match rather than a hard match. It can be acceptable to use locally and where all the information stays locally AND there is sufficient hardware based security where said biometrics isn’t going to get off the device.

Finally, there was no mention of any kind of physical token based factor (something you have). Which pairs well with password, passphrase, or any other “something you know” factor.

The amount of websites I’m forced to create accounts on for various mandatory crap that insist on a short password (12-16 characters seems common) is embarrassing, and causing a large part of this issue.

Hasn’t md5 been cracked for like 2 decades? Now if they could Crack like aes-256 in under an hour this would be a different conversation.

An hour? Wtf? I swear that 5+years ago I saw a tool that would trivially modify any file by appending MD5-sum-length bytes to match any desired MD5, within a fraction of a second.