MD5 Collision Risks: Why You Shouldn’t Use It for Cryptographic Security

Quick Guide to Generating MD5 Checksums on Windows, macOS, and Linux

What an MD5 checksum is

An MD5 checksum is a 128-bit hash produced by the MD5 algorithm, commonly expressed as a 32-character hexadecimal string. It’s used to verify file integrity (e.g., detect accidental corruption or transfer errors), but not recommended for security-sensitive integrity checks because MD5 is vulnerable to collisions.

Windows

• Using PowerShell (built-in):

  1. Open PowerShell.
  2. Run:
     Get-FileHash -Algorithm MD5 “C:\path\to\file”

  3. The output shows the Hash and Path.

• Using certutil (built-in on many systems):

  1. Open Command Prompt.
  2. Run:
     certutil -hashfile “C:\path\to\file” MD5

• Third-party tools:

  • 7-Zip, HashTab, or third-party GUI checksum utilities can compute MD5 via right-click or UI.

macOS

• Using Terminal (built-in):

  1. Open Terminal.
  2. Run:
     md5 /path/to/file

  3. Output shows the MD5 checksum.

• Using Homebrew tools (if installed):

  • OpenSSL:
    openssl md5 /path/to/file

Linux

• Using coreutils (most distros):

  1. Open a terminal.
  2. Run:
     md5sum /path/to/file

  3. Output is: “ “.

• Using OpenSSL:

  openssl md5 /path/to/file

Verifying checksums

• Compare the computed checksum string to a known-good checksum (from a website or a checksum file). On Linux/macOS you can verify with:
  • If you have a checksum file named file.md5 containing “checksum filename”:
    md5sum -c file.md5

  • On Windows compare the printed value manually or via a script.

Batch and scripting examples

• PowerShell (compute MD5 for all files in folder):
  Get-ChildItem -File “C:\path\to\folder” | ForEach-Object { \(h = Get-FileHash -Algorithm MD5 \).FullName “{0} {1}” -f \(h.Hash, \).Name}

• Bash (Linux/macOS):
  for f in /path/to/folder/*; do md5sum “$f”; done

Notes and recommendations

• MD5 is suitable for detecting accidental corruption and quick integrity checks, but not for cryptographic verification or security-sensitive uses (use SHA-256 or stronger instead).
• When downloading files, prefer checksums provided over HTTPS and, for security, use SHA-⁄₅₁₂ or PGP signatures when available.