Quiz Entry - updated: 2026.07.14
When were MD5 and SHA-1 broken, and what are the practical implications?
MD5 collisions were found in under 1 hour in 2004. SHA-1 collision complexity was reduced from $2^{80}$ to $2^{52}$ by 2009.
MD5 (broken 2004):
- Xiaoyun Wang et al. found an algorithm that produces MD5 collisions on a single computer in about one hour
- Two 1024-bit values differing in only 6 bit positions produced the same 128-bit MD5 hash
- Similar attacks were found for RIPEMD-128 and SHA-0
SHA-1 (weakened 2005-2009):
- Brute-force collision requires $2^{80}$ operations (birthday attack on 160-bit hash)
- Feb 2005: Chinese researchers reduced this to $2^{69}$ — a factor of $2^{11} = 2048$ fewer operations
- June 2009: Further reduced to $2^{52}$ — a factor of $2^{17} = 131,072$ improvement
- Actual collision cost: approximately €10,000 (recent estimate)
Practical implications:
- These were all collision attacks (birthday), not pre-image attacks
- For forging signatures, you need a pre-image attack — still infeasible for SHA-1
- But: no panic needed — SHA-3 is the solution, and SHA-2 remains unbroken
- SHA-1 still considered acceptable for HMAC (where collision resistance isn't the primary concern)
Go deeper:
SHATTERED — the first practical SHA-1 collision (2017) — two different PDFs with the same SHA-1 hash, with the collision PDFs to download.
MD5 (Wikipedia) — the 2004 break and why MD5 is now used only where collision resistance doesn't matter.
SHA-1 (Wikipedia) — the timeline from theoretical weakening to the SHATTERED collision.