Skip to content
Hash Identifier

Is MD5 still worth cracking in 2026?

MD5 is a fast unsalted digest that still litters real systems. Why cracking it is a preimage guessing game, not a collision, and what defenders should do.

Published on 4 min read
md5hashcatpassword crackinghash formatslegacy

People keep saying MD5 is dead. They are half right, and the half they get wrong is the half that matters when you are staring at a dump of 32-character hex strings.

MD5 is a fast, unsalted message digest. It was built in 1991 to be quick, and quick it is. That single property is why it remains one of the most rewarding things you can find on a target, and also why no competent team should ever store a password with it.

Collisions are not the attack you are running

When someone announces "MD5 is broken," they almost always mean its collision resistance is broken. You can construct two different inputs that hash to the same digest. That breaks digital signatures, certificate chains, and any scheme that trusts a digest to uniquely identify a file. Flame abused exactly this in 2012.

Cracking a password hash is a completely different problem. You are not looking for any two inputs that collide. You have one specific digest and you want the one input that produced it. That is a preimage problem, and MD5's preimage resistance has never been meaningfully dented. So you do not break it with clever math. You break it by guessing, fast.

The conflation of these two ideas is the single most common confusion around MD5. Collision resistance and password-storage suitability are different axes. MD5 fails the first for cryptographic reasons and fails the second for performance reasons, and the reasons do not overlap.

Why guessing wins: raw throughput

The whole game is throughput. A modern GPU computes MD5 in the tens of billions of hashes per second. A single RTX 4090 sits comfortably north of 60 GH/s on -m 0. A small rig of them turns any human-chosen password into a near-instant lookup.

hashcat -m 0 -a 0 dump.txt rockyou.txt -r rules/best64.rule

Point that at unsalted MD5 and the common passwords are gone before you have finished your coffee. There is nothing exotic here. The algorithm hands the attacker so much speed that even a clumsy wordlist plus a ruleset clears the easy two thirds of most dumps. This is the practical face of why fast hashes are dangerous: speed is the attacker's entire advantage, and MD5 gives it away for free.

It still shows up everywhere

If MD5 were extinct this would be academic. It is not. You find it in legacy web apps whose auth code was written a decade ago and never touched since. You find it in homegrown CMS plugins, in forum software that predates the bcrypt era, in internal tools nobody owns anymore. You also find it doing entirely legitimate work as a non-security checksum: file integrity manifests, deduplication keys, cache busting. Those uses are fine. MD5 as a content fingerprint where you do not care about adversarial collisions is reasonable and fast. MD5 as a password store is malpractice.

The trouble is that a bare MD5 and an MD5 file checksum look identical: 32 hex characters. The string alone tells you nothing about intent. Context does.

Salted MD5 changes the mode, not the difficulty

The moment a developer bolts a salt onto MD5, the format on disk changes and so does your hashcat mode. A salt does not slow MD5 down per guess. It only kills precomputed rainbow tables and stops identical passwords sharing a digest. The GPU still rips through billions of attempts per second.

What it does demand is that you identify the construction correctly. md5($salt.$pass) is -m 10. md5($pass.$salt) is -m 20. Vbulletin-style nested constructions have their own modes. Pick wrong and hashcat either rejects the line or quietly cracks nothing. When the layout is ambiguous, work through finding the right hashcat mode rather than guessing, because a salted MD5 in the wrong mode wastes a run and makes you think the passwords are strong when they are not.

The defender's side is short

Never store a password as MD5, salted or not. The salt buys you nothing against the throughput problem. If you inherit a system that does, treat every credential in it as already compromised and migrate.

Move to a slow, salted, memory-hard function: bcrypt at a sane cost, or Argon2id if you can. The clean migration path is to wrap existing MD5 hashes in bcrypt at next login, or rehash transparently on successful authentication, then drop the MD5 column. Do not invent your own scheme. Do not iterate MD5 a thousand times and call it a KDF.

MD5 in 2026 is not worth defending and very much worth cracking. It is fast, it is everywhere, and the only thing standing between an attacker and the plaintext is how good the password was. That is a bet defenders lose far more often than they should.

Related articles

How bcrypt resists GPUs
Why bcrypt drops cracking throughput from billions to thousands per second: the cost factor, its GPU-hostile key schedule, and the 72-byte truncation gotcha.
bcrypthashcatpassword crackinghash formats
Hashcat vs John the Ripper: which cracker should you use?
A practical comparison of hashcat and John the Ripper — GPU vs CPU strengths, autodetection, -m modes, jumbo formats, wordlists and rules — with example commands.
hashcatjohn the ripperpassword crackingwordlists
Finding the right hashcat -m mode (and what to do when you get it wrong)
Hashcat won't autodetect anything. Here is how to pick the correct -m mode, disambiguate look-alike hashes, and read the errors that mean you chose wrong.
hashcathash identificationpassword crackingntlm