Is salted MD5 Or SHA secure?
Is using something like bcrypt or scrypt necessary? The hashes are so much longer to store in a database. Can one get away with using salted MD5 or SHA and still be secure?
There is, in fact, no such thing as "salted MD5" or "salted SHA-1". MD5 and SHA-1 are well-defined hash functions, which take as input a sequence of bits of (almost) arbitrary length, and output a sequence of bits of fixed length (128 and 160 bits, respectively). There is no salt anywhere in the definitions of MD5 and SHA-1; no password either, for that matter. What people call "salted MD5" or "salted SHA-1" are in fact new cryptographic construction, assembling some encoding convention (to transform the password into a sequence of bits) and a salt value (another sequence of characters or bits) into one (or a few) invocations of the hash function. There are lots of possible ways to do that, and no standard. At best, we can have a family of designs which can be grouped under the generic terminology "MD5 with some salt". Cryptographically, these constructions need not be equivalent to each other; some may be quite poor.
Even assuming that your specific "salted MD5" happens not to botch things, you still get the main problem of MD5 (or SHA-1), and that is speed. Speed means that attackers can try a lot of potential passwords per second; numbers are in the billions per second (benchmarks there). If you want to "get away" with salted MD5 or SHA-1 then you need to fight that speed with more password entropy. Not password length, mind you; length is only loosely correlated with security. Adding more characters does not help; adding more characters that the attacker does not know of is what helps. Realistically, if you must get away with salted MD5 or SHA-1, then you must go for at least 60 bits of entropy in each password. This is unrealistic: average users will not produce or remember such passwords. At best, you can consider yourself happy if your users achieve 30 bits of entropy. In other words, with salted MD5 or SHA-1, you will fall short of the required security level by a factor of one billion or so. These are poor odds; to make an analogy, this would be similar to trying to militarily invade the USA when your whole army consists of a single soldier armed with a baseball bat. Stallone failed. Even Chuck Norris would find that challenging.
Go read these answers:
- On password hashing: the theory and practice needed to think correctly about it.
- On entropy calculation for passwords.
And go buy a new disk ! My first actual hard disk (back in 1991) had size 40 megabytes and would have been fit to store bcrypt hashes for more than half a million of users. Is your server 23-years old hardware, and do you have more than half a million of users ? If that is the case, then I salute you for your courage, and I warmly suggest that you should go sleep in some asylum with medical assistance. Otherwise, the "hashes are so much larger" argument is, there's no nice way to say it, really stupid.