This is actually a big thing (that I haven’t seen talked about a lot) — someone has posted a working program capable of generating MD5/4 collisions in under 45 minutes on a 2.4 GHZ processor.
This is significant because previously, while everyone knew that MD5 was basically worthless at this point (due to the How to Break MD5 and Other Hash Functions paper, people continues to say “but there’s no exploit code!”.
Now there is. People need to start using something in the realm of SHA-256 for hashing (SHA-1 is “weaker” then expected) or some other authenticity method, but really, MD5 is worthless, and SHA-1 is going to go down as well.
You can see Bruce Schneier’s writing on this as well.
Add: Oh look. Slashdot finally caught it
-
Matt Wilson
-
Allen