Rule Information
Tags
gosecuritycryptomd5password-hashingCWE-916CWE-327OWASP-A02OWASP-A07
Interactive Playground
Experiment with the vulnerable code and security rule below. Edit the code to see how the rule detects different vulnerability patterns.
pathfinder scan --ruleset golang/GO-CRYPTO-005 --project .1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
rule.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
Cross-file analysis: 3 files
About This Rule
Understanding the vulnerability and how it is detected
Using MD5 to hash passwords is a critical vulnerability. Password hashing requires an intentionally slow, memory-hard function — MD5 is the opposite: it is designed for speed and runs at **164.1 billion hashes per second** on a single NVIDIA RTX 4090 GPU (hashcat v6.2.6 benchmark).
**Cracking speed in context**: - "8-char lowercase alphanumeric (36^8 ≈ 2.8 trillion): exhausted in ~17 seconds." - "8-char mixed-case + digits (62^8 ≈ 218 trillion): exhausted in ~22 minutes." - "bcrypt cost-10 on the same RTX 4090: ~184,000 hashes/second — ~892,000x slower." - "argon2id: ~1,000–10,000 hashes/second — ~16,000,000x slower than MD5."
**Why salted SHA-256 is also insufficient**: Adding a salt stops rainbow table attacks but does not slow the attacker on GPUs. Salted SHA-256 is still computed at billions of hashes per second. bcrypt's work factor and argon2id's memory hardness are specifically designed to keep per-hash computation time at 100ms–1s even on dedicated hardware, making bulk cracking economically infeasible.
**Real breach consequences**: The "rockyou.txt" password list (32 million entries from the 2009 RockYou breach, which stored passwords in plaintext) became the most widely used cracking wordlist in all password cracking tools — demonstrating how breached data permanently enables future attacks against other services where users reuse credentials.
**Detection**: This rule detects MD5 hash output flowing into password-named functions (storePassword, checkPassword, savePassword, hashPassword, etc.), indicating password storage using MD5.
Security Implications
Potential attack scenarios if this vulnerability is exploited
1
Instant Password Cracking After Database Breach
An attacker who exfiltrates a database of MD5-hashed passwords can crack the vast majority in hours using a single consumer GPU. Studies of breached password datasets consistently show 90–99% crack rates for MD5 hashes within 24–72 hours when dictionary + rule-based attacks are applied.
2
Credential Stuffing at Scale
Cracked passwords from one service are used to attack other services where users reuse credentials. A single breached MD5 database provides the attacker with a tested password list for attacks against email, banking, and other accounts.
3
Rainbow Table Vulnerability
Unsalted MD5 password hashes are directly reversible using pre-computed rainbow tables freely available online. Common passwords are recovered in milliseconds without any cracking computation.
How to Fix
Recommended remediation steps
- 1Replace all MD5 password hashing with bcrypt (golang.org/x/crypto/bcrypt, cost >= 12).
- 2For new systems, prefer argon2id (golang.org/x/crypto/argon2) — PHC winner, memory-hard.
- 3For migration: at next successful login, re-hash the password with bcrypt/argon2id.
- 4Never use any fast hash (MD5, SHA-1, SHA-256) directly for password storage — even salted.
- 5bcrypt has a 72-byte input limit — enforce this or pre-hash input before passing to bcrypt.
- 6Use constant-time comparison (bcrypt.CompareHashAndPassword) to prevent timing attacks.
Detection Scope
How Code Pathfinder analyzes your code for this vulnerability
Detects MD5 hash output (md5.Sum() return value) flowing into functions with password-related names (storePassword, savePassword, checkPassword, hashPassword, etc.). This indicates password storage using MD5.
Compliance & Standards
Industry frameworks and regulations that require detection of this vulnerability
NIST SP 800-63B (Digital Identity Guidelines)
Section 5.1.1.2 — Memorized Secret Verifiers: SHALL use a suitable one-way key
derivation function (PBKDF2, bcrypt, scrypt, or Balloon). SHALL use a salt of at
least 32 bits. MD5 does not meet these requirements.
URL: https://pages.nist.gov/800-63-3/sp800-63b.html
OWASP Top 10
A02:2021 — Cryptographic Failures; A07:2021 — Identification and Authentication Failures
PCI DSS v4.0
Requirement 8.3.1 — Passwords must use strong cryptography.
CWE Top 25 (2024)
CWE-916 — Use of Password Hash With Insufficient Computational Effort
References
External resources and documentation
OWASP Password Storage Cheat Sheet (bcrypt/argon2id recommendations)Go golang.org/x/crypto/bcrypt packageGo golang.org/x/crypto/argon2 packageRFC 9106 — Argon2 Memory-Hard Password Hashing Functionbcrypt original paper: A Future-Adaptable Password Scheme (Provos & Mazières, USENIX 1999)Password Hashing Competition — Argon2 winner (PHC)NIST SP 800-63B — Digital Identity Guidelines, AuthenticationHashcat RTX 4090 benchmark: MD5=164.1 GH/s, bcrypt=184 kH/sRockYou breach — WikipediaCWE-916: Use of Password Hash With Insufficient Computational EffortCWE-327: Use of a Broken or Risky Cryptographic Algorithm
Similar Rules
Explore related security rules for Go
HIGH
Use of MD5 Weak Hash Algorithm
Detects use of MD5 (crypto/md5) which is cryptographically broken — collision attacks are feasible in seconds and GPU cracking reaches 164 billion hashes/second.
HIGH
Use of SHA1 Weak Hash Algorithm
Detects use of SHA1 (crypto/sha1) which has a proven collision (SHAttered, 2017) and is deprecated by NIST for all applications through 2030.
Frequently Asked Questions
Common questions about MD5 Used for Password Hashing
Using MD5 to hash passwords is a critical vulnerability. Password hashing requires
an intentionally slow, memory-hard function — MD5 is the opposite: it is designed
for speed and runs at **164.1 billion hashes per second** on a single NVIDIA RTX 4090
GPU (hashcat v6.2.6 benchmark).
**Cracking speed in context**:
- "8-char lowercase alphanumeric (36^8 ≈ 2.8 trillion): exhausted in ~17 seconds."
- "8-char mixed-case + digits (62^8 ≈ 218 trillion): exhausted in ~22 minutes."
- "bcrypt cost-10 on the same RTX 4090: ~184,000 hashes/second — ~892,000x slower."
- "argon2id: ~1,000–10,000 hashes/second — ~16,000,000x slower than MD5."
**Why salted SHA-256 is also insufficient**: Adding a salt stops rainbow table attacks
but does not slow the attacker on GPUs. Salted SHA-256 is still computed at billions
of hashes per second. bcrypt's work factor and argon2id's memory hardness are
specifically designed to keep per-hash computation time at 100ms–1s even on dedicated
hardware, making bulk cracking economically infeasible.
**Real breach consequences**: The "rockyou.txt" password list (32 million entries from
the 2009 RockYou breach, which stored passwords in plaintext) became the most widely
used cracking wordlist in all password cracking tools — demonstrating how breached data
permanently enables future attacks against other services where users reuse credentials.
**Detection**: This rule detects MD5 hash output flowing into password-named functions
(storePassword, checkPassword, savePassword, hashPassword, etc.), indicating password
storage using MD5.
Use Code Pathfinder to scan your codebase: pathfinder scan --ruleset golang/GO-CRYPTO-005 --project .
This vulnerability is rated as CRITICAL severity.
Yes! Code Pathfinder allows you to customize rules. Modify detection patterns, adjust severity levels, add custom sanitizers, and configure the rule to fit your organization's security policies.
New feature
Get these findings posted directly on your GitHub pull requests
The MD5 Used for Password Hashing rule runs in CI and posts inline review comments on the exact lines — no dashboard, no SARIF viewer.