🔓 Crack MD5 hash · technical guide
MD5 is an obsolete 128-bit cryptographic hash but still ubiquitous in legacy systems, old password storage and some protocols. This guide explains how to crack MD5 hashes in 2026: hashcat with GPU, rainbow tables, online lookups, and when each approach is appropriate.
Why MD5 is "broken" but still ubiquitous
- Password storage in legacy systems (PHP < 5.5, old MySQL)
- File integrity checksums (NOT security but verification)
- Old WordPress, Joomla, Drupal versions
- Custom internal systems no one audited
For passwords stored as simple MD5, recovery is trivial. For integrity uses (not security), MD5 still valid.
Hashcat MD5 throughput on modern hardware
| Hardware | MD5 throughput | Wordlist 1G entries |
| CPU i7 single-thread | ~10M/s | 100s |
| RTX 3060 | ~25 G/s | 40ms |
| RTX 3090 | ~65 G/s | 15ms |
| RTX 4090 | ~165 G/s | 6ms |
An RTX 3090 tests 65 billion candidates per second. That means: full brute force of 8 lowercase chars:
26^8 / 65G = 3.2s. No real security with simple MD5.Hashcat commands for MD5
# Raw MD5 (no salt)
hashcat -m 0 hash.txt rockyou.txt
# MD5 with salt (format hash:salt)
hashcat -m 10 hash.txt rockyou.txt
# Double MD5 (md5(md5($pass)))
hashcat -m 2600 hash.txt rockyou.txt
# WordPress (phpass MD5-based)
hashcat -m 400 hash.txt rockyou.txt
# vBulletin
hashcat -m 2611 hash.txt rockyou.txt
For raw MD5 + RockYou: complete in <2 seconds. If password is in RockYou, you recover it. Otherwise: mask or brute force.
Rainbow tables vs GPU brute force
Pros: instant lookup (microseconds vs minutes GPU brute).
Cons: require disk space, DON'T work with MD5+salt, don't work with very long passwords (>9 chars typically).
Public project:
RainbowCrack (CMU), Ophcrack tables for Windows LM/NTLM.Hashcat with GPU has made rainbow tables almost obsolete for simple MD5. RTX 3090 brute forces 8 chars in seconds = competitive with table lookup but more flexible (any hash, any length).
Online lookups: NEVER PAY
Real utility: for weak passwords from top 10 million (LinkedIn 2012, Adobe 2013, etc.), 95%+ are in these DBs.
NEVER pay service offering "crack MD5 hash" — Crackstation, hashes.com, hashtoolkit.com are free for single hashes.
When MD5 is NOT trivial: long salt + iterations
| Algorithm | RTX 3090 a/sec |
| Raw MD5 | 65 G/s |
| md5crypt (Apache) | ~50M/s |
| phpass (WordPress) | ~25M/s |
| MD5 + 100K iterations | ~650K/s |
Best approach for "hardened" MD5: same strategy as wallet.dat — wordlist + mask + remember partial. Without patterns, random 10+ char keys are infeasible even base MD5.
Frequently asked questions
Is MD5 still secure for passwords?
NO. Move to bcrypt, scrypt, argon2 (designed for password hashing). Raw MD5 for passwords is practically plain-text in 2026.
And MD5 for checksums/integrity?
For integrity (not security), MD5 still valid. If you only want to verify a file wasn't corrupted, MD5 is enough. For cryptography or security, NO.
What's the best hash for passwords today?
Argon2id (winner Password Hashing Competition 2015) is the standard. Bcrypt still valid (simpler). Scrypt OK but less preferred. NEVER raw MD5/SHA1/SHA256 for passwords.
Do you recover MD5 hashes with salt if I don't know the salt?
If hash includes salt in format (hash:salt), yes trivial. If salt is unknown, depends on schema (algorithm what it does with salt).
How much for cracking thousands of MD5 hashes?
For bulk volume (password database audits), rate per GB of hashes. Contact us for custom volume. For single hashes: use Crackstation free.
Complex case? We can help
5×RTX 3090 GPU cluster + ML engineer. USD 35 diagnostic, USD 2000 AI Scan, success fee 30-40% only if we recover.
🔐 Wallet Recovery →