Real-World Consequences of Poor Hash Choices

The LinkedIn breach of 2012 starkly illustrated the consequences of using SHA-1 without salts. Within days of the breach, security researchers cracked over 60% of the 6.5 million leaked password hashes. Common passwords fell within seconds, while even complex passwords succumbed to dictionary attacks with rules. The incident became a watershed moment, demonstrating that major technology companies were failing at basic password security.

The Ashley Madison breach in 2015 showed mixed hash usage consequences. The site used bcrypt for passwords (good) but MD5 for password change tokens (catastrophic). Attackers focused on the MD5 hashes, cracking 11 million passwords through the weaker implementation. This demonstrated how a single weak link in password handling can compromise otherwise strong security measures.

Legacy system dependencies perpetuate the use of weak hashing algorithms. Many organizations maintain systems that hardcode MD5 or SHA-1 password hashing, making migration difficult without major rewrites. Some protocols and standards specified these algorithms, creating ecosystem lock-in. The cost and risk of migration often delay necessary updates, leaving systems vulnerable to well-understood attacks.