I have a list of unique email addresses - a very simple question. If the email is unique will the output always be unique,
hash('md2', $email);
Hashing unique strings with MD2
1k Views Asked by LeBlaireau At
3
There are 3 best solutions below
0
On
MD2 produces a hash of 128 bits. You can guarantee at least one hash collision by hashing 2^128+1 strings.
1
On
Well, the best attack, according to WikiPedia is:
In 2009, MD2 was shown to be vulnerable to a collision attack with time complexity of 2^63.3 compression function evaluations and memory requirements of 2^52 hash values. This is slightly better than the birthday attack which is expected to take 265.5 compression function evaluations.
It would however still be tricky to find a collision for a short email address.
If you really require more security and a 128 bit hash value you are much better off by using the first (leftmost) 128 bits of SHA-256, which is considered secure at the time of writing. Using the full 256 bits is of course preferred.
The chances of creating a collision by accident are close to zero. So if you just use this to create something unique (i.e. without considering targeted attacks) then using MD2 is fine. Even then, if you can change the protocol, use SHA-256 instead.
Hash functions like MD2 are like the name suggests message digest algorithms they take an arbitrary length input and give a fixed length output. There are bound to exist collisions for unique inputs.
You can use stronger hash functions like SHA-256 where a collision between two strings is highly unlikely compared to MD2. The birthday paradox applies here, so you shouldn't use MDx functions or anything shorter than 256-bit hash functions.
I see you're hashing e-mail addresses. Depending on your system, this can be exploited with a collision. For example, some e-mail providers enable virtual addresses of the form "[email protected]", "[email protected]" and so on. An attacker might use that fact to find a collision with a known other e-mail address to get for example the password reset e-mail or something like that.