Articles

MD5 Collisions: Still a Threat?

March 15, 2026 6 min read

MD5 is still considered unsafe for cryptographic purposes, particularly for digital signatures and password hashing, because it’s susceptible to collision attacks.

Here’s how to see MD5 in action, and why its "unsafety" is a bit nuanced:

Imagine you have a file. You want to create a unique fingerprint for it so you can verify later if the file has been tampered with. This fingerprint is generated by a hash function, like MD5.

echo "This is a test file." > test.txt
md5sum test.txt

This will output something like:

f675243c7f41911483604260934e35a8  test.txt

This f675243c7f41911483604260934e35a8 is the MD5 hash. If even a single character in test.txt changes, the MD5 hash will be completely different.

echo "This is a test file. Modified." > test.txt
md5sum test.txt

Now you get:

068d6314410957210621f3b4452f55ea  test.txt

This is the core idea: a small input change yields a drastically different output. This is called the avalanche effect, and it’s a desirable property for hash functions.

The problem isn’t that MD5 doesn’t have an avalanche effect, or that it’s easy to compute. The problem is that MD5 is fast and weak against specific types of attacks.

Collision Attacks: The Achilles’ Heel

The "unsafety" of MD5 stems from the discovery of practical collision attacks. A collision occurs when two different inputs produce the same MD5 hash.

For example, it’s now computationally feasible to create two entirely different documents, Document A and Document B, such that md5sum DocumentA is identical to md5sum DocumentB.

Imagine using MD5 for digital signatures:

  1. You sign a document (Document A) using its MD5 hash.
  2. An attacker creates a malicious document (Document B) that has the exact same MD5 hash as Document A.
  3. The attacker can then present Document B, claiming it’s the signed document because its hash matches the signature. The signature verification would incorrectly pass.

This is why MD5 is no longer suitable for anything requiring strong cryptographic integrity or authenticity.

Where MD5 Might Still Be Okay (with caveats)

Despite its cryptographic weaknesses, MD5 can still be useful for non-security-critical tasks where collision resistance isn’t paramount:

  • File Integrity Checks (Internal Networks/Trusted Sources): If you’re downloading a file from a trusted internal server and just want to quickly verify that the download wasn’t corrupted during transfer, MD5 is usually sufficient. You’re not worried about an attacker maliciously crafting a file to have the same hash.
  • Checksums for Data Integrity: Similar to the above, for checking if data has been accidentally altered (e.g., disk errors), MD5 can be used.

The "Why" of the Weakness

MD5 was designed in 1991, and cryptographic understanding has evolved significantly since then. Its internal structure, specifically the way it processes data in blocks and uses a series of logical operations (like XOR, AND, NOT), has mathematical properties that make it vulnerable to techniques like differential cryptanalysis. These techniques allow attackers to find collisions much faster than brute-force guessing.

Practical Levers and What You Control

When you use MD5 (or any hash function), you’re primarily controlling:

  1. The Input Data: This is what you’re hashing.
  2. The Hash Algorithm: In this case, MD5.
  3. The Output Hash: The resulting string of hexadecimal characters.

The "system" itself is the algorithm’s implementation and its mathematical properties. You don’t control those directly, but you choose whether to use an algorithm that has known vulnerabilities.

The One Thing Most People Don’t Know

The fact that MD5 can be intentionally manipulated to produce collisions for two different files is a far cry from the original intent of hash functions, which was to make it practically impossible to find any two different inputs that yield the same output. The research that led to practical MD5 collision attacks (like those by Wang et al. in 2004) showed that it’s not just theoretical; it can be done on standard hardware in a matter of hours or days, making it a real threat for security applications.

Moving Forward

For any security-sensitive application, always use modern, cryptographically secure hash functions. The most common and recommended alternatives are:

  • SHA-256: A robust and widely adopted standard.
    echo "This is a test file." | sha256sum
    Output: 532eaabd9574880dbf7690f401495a2a7e3c0e1b74e7006a3216613d3368e419 -
  • SHA-3: A newer family of algorithms designed as an alternative to SHA-2.

The next problem you’ll encounter is understanding when other hash functions, like SHA-1, also become insecure.

Want structured learning?

Take the full Cryptography course →