MD5 was once the go-to hash function for everything from file integrity to digital signatures. But since 2004, researchers have demonstrated practical collision attacks that break its security guarantees. This article explains how MD5 collisions work, why they matter, and what you should use instead.
What Is a Hash Collision?
A hash collision occurs when two different inputs produce the same hash output. For a secure hash function, finding collisions should be computationally infeasible. MD5 produces a 128-bit (16-byte) hash, so the birthday attack bound is 2^64 operations — but actual attacks are far faster.
How MD5 Collisions Work
MD5 uses the Merkle-Damgård construction: the message is padded to a multiple of 512 bits, split into blocks, and processed iteratively through a compression function. The compression function performs 64 rounds of nonlinear operations on a 128-bit internal state (four 32-bit registers A, B, C, D).
Wang Xiaoyun's 2004 differential attack exploits weaknesses in the compression function. By carefully choosing differences between two message blocks, an attacker can cause the internal state differences to cancel out after 64 rounds, yielding identical final hashes. This is far more efficient than brute force — the attack complexity is about 2^39 MD5 operations, which can run in under an hour on a modern PC.
Real-World Collision Tools
Tools like fastcoll and HashClash implement these attacks. For example, using fastcoll:
fastcoll_v1.0.0.5.exe -p original.pdf -o collision1.pdf collision2.pdf
This produces two PDF files with identical MD5 hashes but different content.
Why MD5 Is Broken for Security
MD5 fails the collision resistance property required for security. The consequences are severe:
| Property | Required for | MD5 status |
|---|---|---|
| Collision resistance | Digital signatures, certificates | ❌ Broken (2^39 operations) |
| Second preimage resistance | File integrity (malicious) | ❌ Weakened |
| Preimage resistance | Password hashing | ⚠️ Still strong (~2^123) but not recommended |
Timeline of MD5's Demise
- 2004: Wang Xiaoyun demonstrates practical MD5 collisions at Crypto 2004.
- 2008: Sotirov et al. forge a RapidSSL intermediate CA certificate using an MD5 collision, demonstrating real-world impact.
- 2012: The Flame malware uses an MD5 chosen-prefix collision to forge a Microsoft code-signing certificate.
- 2017: SHA-1 (stronger than MD5) is also broken with SHAttered attack; industry fully migrates to SHA-2.
When MD5 Is Still Acceptable (and When It's Not)
| Use Case | Safe? | Rationale |
|---|---|---|
| Digital signatures / certificates | ❌ No | Collision allows forgery |
| Password storage | ❌ No | Use bcrypt, scrypt, Argon2 |
| File integrity (against malicious tampering) | ❌ No | Attacker can replace file + hash |
| File integrity (accidental corruption) | ⚠️ Weak | Use SHA-256 for future-proofing |
| Non-security hash table key | ✅ Yes | Collisions cause performance issues but not security breaches |
Common Pitfalls
- Assuming MD5 is "good enough" for security. Collision attacks are practical — a determined attacker can forge signatures or certificates.
- Using MD5 for password hashing. Even without collisions, MD5 is fast and vulnerable to brute-force; always use a slow, salted hash like Argon2.
- Ignoring the birthday bound. For 128-bit hashes, collision resistance is only 64 bits — feasible for modern hardware.
- Thinking "I only need preimage resistance." Many protocols rely on collision resistance; if an attacker can create two documents with the same hash, they can substitute one for the other.
What to Use Instead
- SHA-256 (SHA-2 family): Current standard, no known practical attacks, 256-bit output. Use for signatures, certificates, and file integrity.
- SHA-3: Alternative design (Keccak), not vulnerable to length extension attacks. Good for new protocols.
- BLAKE3: Very fast, secure, and supports streaming. Great for hashing large files.
- HMAC-SHA256: For message authentication, always use HMAC rather than bare hash to avoid length extension attacks.
Worked Example: Migrating from MD5 to SHA-256
Suppose you have a file upload system that stores files with MD5-based filenames and checksums. Here's how to migrate:
Before (insecure)
import hashlib
def store_file(content):
md5 = hashlib.md5(content).hexdigest()
filename = f"{md5}.bin"
with open(filename, 'wb') as f:
f.write(content)
return md5
def verify_file(filename, expected_md5):
with open(filename, 'rb') as f:
content = f.read()
actual_md5 = hashlib.md5(content).hexdigest()
return actual_md5 == expected_md5
After (secure)
import hashlib
def store_file(content):
sha256 = hashlib.sha256(content).hexdigest()
filename = f"{sha256}.bin"
with open(filename, 'wb') as f:
f.write(content)
return sha256
def verify_file(filename, expected_sha256):
with open(filename, 'rb') as f:
content = f.read()
actual_sha256 = hashlib.sha256(content).hexdigest()
return actual_sha256 == expected_sha256
For existing MD5-hashed files, recompute SHA-256 hashes and update references. You can also store both hashes during a transition period.
Try it in our hash text tool to compare MD5 and SHA-256 outputs for the same input.
FAQ
Is MD5 completely broken for all purposes?
No. MD5 still provides preimage resistance (~2^123 operations) and is safe for non-security uses like checksums for accidental corruption or as a hash table key. However, SHA-256 is equally fast and avoids any doubt.
Can I use MD5 if I add a salt?
No. A salt does not prevent collision attacks — it only affects preimage attacks. Collisions can still be found for salted MD5.
How long does it take to find an MD5 collision today?
On a modern consumer GPU (e.g., RTX 4090), a single collision can be found in under a minute using tools like fastcoll or HashClash. Cloud instances make it even cheaper.
What about SHA-1? Is it also broken?
Yes. SHA-1 collisions were demonstrated in 2017 (SHAttered attack). SHA-1 should not be used for any security purpose. Git still uses SHA-1 for object IDs, but the threat model is different; new projects should use SHA-256.
Are there any hash functions that are quantum-safe?
SHA-256 and SHA-3 are believed to be quantum-safe against Grover's algorithm (which halves the security level). For 256-bit hashes, quantum attacks would still require 2^128 operations — infeasible. BLAKE3 also offers 256-bit security.
Conclusion
MD5's collision resistance is broken, and using it for security purposes is irresponsible. Always choose SHA-256 or stronger for new applications. For existing systems, migrate as soon as possible — the cost of a collision attack is low enough for motivated adversaries. Use our hash text tool to verify the difference between MD5 and SHA-256 outputs.