I have had enough of hearing incorrect claims about just how insecure MD5 is for hashing passwords. Truth is that as of 2016 the only need for using anything stronger than MD5 to protect passwords is in order to protect weak passwords.
If a password is strong enough it can be protected by plain MD5 without salting or hashing and still remain secure for now. And it will likely remain secure for years to come.
To support my point I have hashed an email address using a variety of common algorithms and published the hashes of this email address in the table below. I offer a cash price of 100 euro to the first person to send an email to this address before the end of the decade.
MD5 | 417d1fa69b325ca176cb2ce6737fa2f4 |
SHA1 | 1f2389f24893104eeaa5fc6e32f9ec2913d65847 |
SHA224 | ef192a5484dd01d4bc2819e950ea9152af64731d7ff74b14e1448534 |
SHA256 | dc6fbf67b33c3c2e31c0491babec57deab700c9674c450e636eb0451efd5932a |
SHA384 | 601ed5cbff4231f42eb58e0b0a96d4209f8370018fff136c12ac4895cf8db849152d1ad7bb13d3f88656720a48dc221c |
SHA512 | 8f539a7708dd2221b6fa993a238671c010b6b35c833c56362a3a16c19b4b1984d6ec028ae8b991a0d8f7dbcf9bfcc97eef7132296517c074b907132ab007a44c |
crypt MD5 | $1$fezFrfXL$ZCz3P/5YLr4P0BKLQ8MoC/ |
crypt SHA256 | $5$fezFrfXL$B1HUlxYEsX9jVnycSDLL60blMNAkD5zpWcH.rViuXh4 |
crypt SHA512 | $6$fezFrfXL$w89bXU2XaroL0urx7ZLcuQKSFfZiXwV.Jql84ww6nUvuqq5.U.YQtghTwuWo5yMqOWrptCQxOM24vEOr.jFMS0 |
Does this mean that plain MD5 is an acceptable way to protected passwords? Of course not. It does however mean that if a plain MD5 of a password of a password is brute forced, then the service provider are both responsible for the password leak. The service provider is responsible for not using a stronger hash. The user is responsible for not using a stronger password.
Any system in use today should at the very least use a salted SHA2 hash for all new passwords. Anything weaker than that is irresponsible.
As for iterated hashing it will often be a compromise between two separate security aspects. Many iterations will be good for protecting passwords against brute force but bad for protecting your server against DoS attacks. Judge for yourself which of the two threats is more significant to you.
Much better protection of passwords than we have today would be possible if a new protocol was used to verify passwords. The server should never see the password, and the CPU intensive parts of the calculation should happen on the client side.