Don’t Use MD5

“The hashing alone being MD5 tells me that they really don’t care about their passwords too much, so it’s probably some pre-generated site.”

That was from this article on an Anatomy of a Hack. It’s an interesting quote, and it shows a few things.

First, we have a history issue with our frameworks and the lack of updates as we learn more about a technology, or circumstances change. This could be that frameworks are not being updated. It could be that developers are not updating their frameworks. It could be that they are downloading the wrong versions.

The bottom line is that older technologies, those that have vulnerabilities, are still being used. If you use encryption for passwords, don’t use MD5, and I’d say that SHA1 is a bad idea. If you are on a version of SQL Server prior to 2012, SHA2 is not available, but with the SQL CLR and SHA2 in .NET, you can write your own.

About way0utwest

Editor, SQLServerCentral
This entry was posted in Blog and tagged , , . Bookmark the permalink.

1 Response to Don’t Use MD5

  1. Solomon says:

    For anyone interested in using the SHA256, SHA384, or SHA512 algorithms provided via .Net without wanting to mess with creating the CLR assembly, etc. (even if you can copy / paste the code provided in the “write your own” link above), these are available in the Free version of SQL# (SQLsharp). There are two functions that differ only in the datatype of the return value: Util_Hash and Util_HashBinary. SQL# is available at


Comments are closed.