MD4 Hash Generator

MD4: a broken hash that refuses to die

MD4 (Message-Digest 4) was designed by Ronald Rivest at MIT in 1990 as a fast 32-bit-word hash for the early Internet. It produces a digest of 128 bits (16 bytes, 32 hexadecimal characters) and was the direct ancestor of MD5 — Rivest published MD5 a year later as a hardened extension after preliminary weaknesses appeared. MD4 is cryptographically broken: Hans Dobbertin demonstrated a practical collision attack in 1995, and modern attacks find collisions in around 50 microseconds on a laptop. There is no responsible use case for MD4 in any new system that requires security.

Despite being dead as a cryptographic primitive, MD4 is surprisingly common in legacy infrastructure. Its most famous role is the NT LAN Manager (NTLM) hash used by Microsoft Windows for domain authentication: an NTLM hash is literally MD4(UTF-16-LE(password)). Active Directory still accepts NTLM in 2026 for backward compatibility, which is why Pass-the-Hash attacks remain a top finding in enterprise penetration tests. MD4 also lives on inside the eDonkey 2000 / eMule file-identification scheme (the ed2k:// URL format) and a handful of ancient Cisco IOS configurations.

How broken is "broken"?

Cryptanalysis evolved from theoretical to industrial: Dobbertin (1995) → Wang et al. (2005) → modern automated tooling. Today commodity GPUs running Hashcat or John the Ripper attack MD4 at billions of guesses per second. A 7-character lowercase NTLM password falls in under a minute on a single RTX-class GPU. The function is therefore unsuitable for password hashing, file integrity against an adversary, digital signatures, or any context where collision or preimage resistance matters.

MD4 vs MD5 vs SHA-1

All three are descendants of the same Merkle–Damgård family and all three are now broken:

• MD4 (1990) — 128 bits, collisions in microseconds.
• MD5 (1991) — 128 bits, collisions since 2004 (Wang), chosen-prefix collisions since 2008.
• SHA-1 (1995) — 160 bits, full collision demonstrated by Google in 2017 (SHAttered).

The current safe defaults are SHA-256 or SHA-3 for general-purpose hashing, and BLAKE3 when speed is critical.

Mitigating NTLM in real environments

If you administer Windows networks, prefer Kerberos over NTLM, enable Credential Guard, audit NTLM authentication events (Event ID 8004), and consider Protected Users group membership for privileged accounts. Microsoft has been deprecating NTLM for several Windows Server releases — set RestrictReceivingNTLMTraffic aggressively in policy where feasible.

FAQ

Can I still use MD4 as a file checksum? Only against accidental corruption — never against a motivated attacker. Even for non-adversarial use, CRC32 or BLAKE3 are better choices in 2026.

Is MD4 faster than MD5? Yes, MD4 uses 3 rounds vs MD5's 4 rounds and is roughly 30% faster. Neither speed advantage justifies its use; both are equally broken for security purposes.

Does any live production system depend on MD4? Yes — every Active Directory installation that still allows NTLM authentication, every eDonkey-compatible file index, and a handful of embedded devices. The cryptographic risk is concentrated in NTLM and Pass-the-Hash.

Why does this tool offer MD4 at all? Education, CTF challenges, compatibility testing with legacy systems, and reverse engineering. Generating an NTLM hash from a known password to validate a parser is a legitimate use case.

Does this tool send my data to a server? No. The hash runs in your browser via JavaScript — nothing is transmitted.