Why MD5 and SHA1 hashing alone are not enough.
MD5 and SHA1 hash are no longer considered safe to store passwords on their own. Speed is what makes MD5 and SHA1 hashes so useful, but it is also their downfall. It only takes a few minutes to hash thousands of passwords; this also means that it only takes minutes to hash thousands of common passwords and use these hashes to compare against a hash that has been obtained.
Companies try different techniques to harden MD5 and SHA1 hashes, such as "salting" them. This is the process of adding additional characters to the password that only the person/company that should be decrypting knows. Unfortunately this is not enough either with the rise of GPU and ASIC based computations. Therefore, companies using these techniques can better migrate to Argon2 or Balloon hashing.
As a user you often have no choice in how your passwords are stored; the only thing you can do in this case is try to make your password longer and more complex. A password SHA1 that is 7 characters long with upper and lowercase characters will take roughly a minute or 5 to brute force on a proper GPU, whereas one with 25 characters will take much longer.
Note that, when these type of hashes are used over HTTP
(without TLS that is, e.g. no HTTPS
) as part of an integrity check, a Man in the Middle could possibly intercept the content and alter it, calculate the hashes and return those as well.
An attacker could even even reuse the same hashes, and provide other content based on a hash-collission. Therefore: always use secured connections when transferring content & never rely only on hashes like MD5
or SHA1
for the integrity of the data.