Issue Link

A weakness in the MD5 cryptographic hash function can result in a high number of different messages with the same MD5 hash (known as a "collision"). Previous work on MD5 collisions between 2004 and 2007 showed that the use of this hash function can lead to theoretical attack scenarios; however, more recent work has proven that this scenario can be exploited in practice. This exposes any system which relies on the MD5 hashing mechanism to a realistic threat of attack. It should be noted that the SHA-1 algorithm has also been found to exhibit a lack of collision resistance.

MD2, MD4, MD5 are not recommended and a replacement such as SHA-2 (-224, -256, -384, -512) should be considered

Here is a bad example using unsafe MD5:

// donotcopy
MessageDigest aBadDigest = MessageDigest.getInstance("MD5");

Which should be replaced with at least a SHA-2 algorithm:

MessageDigest aBetterDigest = MessageDigest.getInstance("SHA-256");