MD5 is not secure...

It seems that the reviewers find problems where there are no problems, is a living hell man I swear.

So in one of my plugins I am using md5 to encrypt a password for a video, and the reviewer is saying that md5 is not secure, I never had a complaint or issue with this in 15 years since I write these plugins… even if the password is broken it not something severe like breaking the database or haking the site… this is going too far…

What the heck I am supposed to use instead of md5, keep in mind that I have to decrypt this in Javascript, so I have to encrypt it via PHP and than decrypt it via JS…

Are you on WordPress?

Yes.

Try using wp_hash_password() | Function | WordPress Developer Resources

The problem is that I need a js function as well…

This is a problem indeed then, I never had to solve a similar problem.

I’d suggest an ajax call performing the server encryption, but dunno if might fit your use case

I think you should ask the reviewer before you start to implement another hash functions. If you google your question on stackoverflow there should be answers about sha-1 or sha-256, it more modern than md5.

1 Like

Hi @FWDesign,

MD5 has been known to be vulnerable to collision attacks since 2004, almost 20 years ago. It’s widely agreed to be unsuitable for cryptographic operations, such as password hashing.

The SHA family of algorithms is much more modern and are widely supported. The browser Web Crypto API has SHA implementations available. There are also pure javascript implementations available (e.g. in NPM).

Code-wise you should be able to do a drop-in replacement between MD5 and SHA-256, just be aware that if you store MD5-hashed passwords you’ll have to re-hash them and update the stored values with the new algorithm.

Thank you guys for the reply. I will ask the reviewer on this one…