As the clock rolled over to 00:00 on 1 January 2000, the Y2K bug failed to deliver the chaos many had predicted. ATMs hiccupped briefly – credit card machines stopped working, some bus ticket systems failed, some websites clocked backwards. By and large, a non-event (unless you missed your ride).
This ushered in the era of Gen Z: people born between 1997s and 2012s were birthed into a world where the internet simply was. Gaming moved beyond the Atari, e-commerce boomed, online banking spread and the desktop computer became ubiquitous.
Technology leapt forward. CPUs (Pentium 4 and AMB Athlon) pushed clock speeds, 64-bit architecture (AMD64 by 2003) became standard. Supercomputers moved from billions to trillions of calculations a second, massive parallel computing became reality, and words like petaflops entered our lexicon.
Yet these gains paled against the prior era’s crypto breakthroughs, when mathematicians went head-to-head creating, cracking and strengthening security standards.
The security inheritance
By the turn of the century, we had HTTPS for encrypted transactions, the Advanced Encryption Standard mixing and substituting bits at speed, and the lean Elliptic Curve Cryptography guarded keys.
This lulled us into a false sense of security and complacency. Even as supercomputers performed quadrillions of calculations per second, that still wasn't enough to make a meaningful dent in modern encryption.
Real-world systems exposed weaknesses through poor implementation and bad parameter choices.
And we didn't heed the warnings. Especially the 1994 one from Peter Shor, who showed that a sufficiently powerful quantum computer could solve integer factorisation and discrete logarithms in polynomial time – a theoretical but profound threat to the encryption standards of the age.
The warning didn't immediately displace the algorithms of the internet era, but it permanently changed how cryptographers had to think. From that point on, cryptography had to be evaluated not only against current hardware, but against possible future computational models too.
The math held. The walls seemed eternal. We built mathematical fortresses so massive that even the world's fastest supercomputers couldn't crack them and we mistook that for permanent safety.
2004: One hour, one crack
And then it started happening. In August 2004, Xiaoyun Wang and her three colleagues announced they had broken MD5 – used across the globe for file integrity checks, digital signatures and password storage.
Their attack took one hour on an IBM cluster. A hash function supposed to be a one-way, tamper-proof fingerprint had just been shown to produce identical outputs from two entirely different inputs, on hardware that already existed.
JOIN THE CONVERSATION
To learn more about defending organisations against today’s evolving cyber threats, register for ITWeb Security Summit Cape Town 2026 or ITWeb Security Summit 2026 in Johannesburg, where global and local experts will unpack the latest security trends and solutions.
It cascaded quickly. By 2005, a practical collision was demonstrated using two X.509 certificates with different public keys but the same MD5 hash. Two distinct documents could now appear cryptographically identical. By 2006, an algorithm could find a collision in under a minute on a single notebook computer, causing real-world havoc.
In 2012, the Flame malware exploited MD5 weaknesses in Microsoft's certificate infrastructure to masquerade as legitimate Microsoft software. This was a real-world attack, in the wild, at scale.
SHA-1, the Secure Hash Standard deeply embedded in network protocols, certificate systems and software verification, followed the same path toward obsolescence.
Death by a thousand shortcuts
It became clear that encryption tools have operational lifespans shaped by ongoing cryptanalysis and the steady growth of computational power. But here is the critical point: the walls didn't fall because supercomputers finally brute-forced their way through.
That never happened.
Instead, researchers found smarter mathematical shortcuts. Real-world systems exposed weaknesses through poor implementation and bad parameter choices. The algorithms themselves often held firm, but the way they were deployed did not.
Systems reused weak settings, stuck with key sizes that were no longer sufficient, or relied on poor randomness that turned solid encryption into something exploitable in practice. In other cases, attackers didn't break the maths at all.
They watched how systems behaved, how long operations took, how much power was consumed, what patterns emerged under load. Side-channel attacks, as these were called, found ways around the wall rather than through it.
The theory that brute force could never succeed had created dangerous complacency. The edifice didn't collapse from a frontal assault. Instead, it was undermined quietly, methodically, from angles its architects hadn't considered.
Computing was no longer as safe as we had assumed. And encrypted data was being harvested and stockpiled against a future in which it might finally be cracked.
Share
