How to show passwords stored as MD5() in Mysql as non-compliant?

How can I show which MD5()-encrypted passwords are not compliant with current password standards when MD5() is a one-way hash?

Ideally, I might have a Mysql function that decrypts the MD5 and then I can confirm if the plain text password conforms to current password standards.

MD5 is a one-way hashing algorithm, meaning it cannot be decrypted to reveal the original plain text password. This makes it impossible to directly check if MD5-hashed passwords conform to modern password standards (e.g., length, complexity). However, you can identify non-compliant passwords using alternative approaches.


Approach 1: Use a Password Policy During Login

When a user logs in with their password, you can validate the password’s strength at that point:

  1. Hash the plain text password input with MD5.
  2. Compare it with the stored MD5 hash in the database.
  3. If the password matches but doesn’t conform to your current standards, prompt the user to update their password.

Approach 2: Flag Potentially Weak Passwords

Although you cannot reverse MD5, you can use heuristics to identify potentially weak passwords. For example:

  1. Common weak passwords (e.g., “123456”, “password”) often have known MD5 hashes.
  2. Compare the stored MD5 hashes with a dictionary of known weak passwords’ MD5 hashes.
  3. Flag accounts with matches as potentially using weak passwords.

Approach 3: Force a Password Reset

A more secure and modern solution is to implement a forced password reset for all users. This ensures all passwords conform to the new standards and are stored using a secure hashing algorithm like bcrypt, Argon2, or PBKDF2.

Steps:

  1. Update Authentication Logic:
  • Support both MD5 and the new hashing algorithm temporarily.
  • If a user’s password is stored as MD5, allow login but flag the account for a password reset.
  1. Password Reset Workflow:
  • After the user logs in, redirect them to a password update page.
  • Validate the new password against your current standards before saving.
  1. Rehash Passwords:
  • Store the new password using a secure hashing algorithm.

Approach 4: Use MD5 Rainbow Tables

If you are testing for very weak passwords, you could use rainbow tables to try to guess the plain text for some MD5 hashes. However, this approach:

  • Is not guaranteed to work.
  • Requires significant computation or resources.
  • May raise ethical or legal concerns depending on the context.

Modern Password Practices

Instead of trying to work with MD5, focus on transitioning your system to a modern standard:

  1. Use a strong hashing algorithm:
  • bcrypt
  • Argon2
  • PBKDF2
  1. Add salting to prevent dictionary attacks and rainbow table lookups.
  2. Enforce password policies (minimum length, complexity) at the point of password creation or reset.

Key Takeaways

  • MD5 is not reversible, so you cannot directly decrypt it to verify compliance.
  • Use login workflows to check compliance and prompt users to reset passwords.
  • Transition to modern hashing algorithms for better security.