Cryptographic · broken
SHA-1
A 160-bit hash function designed by the NSA and published by NIST in 1995 as a fix to SHA-0. SHA-1 ran the internet for two decades, but practical collisions arrived in 2017 (the SHAttered attack) and chosen-prefix collisions in 2020 (SHA-1 is a Shambles).
At a glance
| Output | 160 bits (20 bytes, 40 hex chars) |
|---|---|
| Block size | 512 bits |
| Construction | Merkle-Damgård + Davies-Meyer |
| Rounds | 80 |
| Standard | NIST FIPS 180-4 (deprecated) |
| Collision security | ~263 (SHAttered, 2017) |
| Preimage security | ~2160 |
| Length extension | Yes |
| Status | Broken , retire from new designs |
Where it still shows up
- Git , object IDs are SHA-1. The Git project has a SHA-1 ↔ SHA-256 transition in progress; in the meantime, Git uses a collision-detection variant (
libsha1dc) that detects the SHAttered family of attacks. - HMAC-SHA-1 , still found in older TLS / OAuth / AWS Signature v2 / OTP (TOTP RFC 6238). HMAC survives even a broken hash; rotate to HMAC-SHA-256 in new code.
- Legacy code signing , some certificate chains and PE signatures. Major OSes have deprecated SHA-1 signatures.
- Fingerprints , SSH host keys, PGP keys (also being replaced).
How it broke
SHA-1 inherited SHA-0’s structure with one extra rotation in the message schedule. Wang et al. found differential attacks reducing SHA-0 collisions to 239 in 2005, and SHA-1 collisions to approximately 269. Stevens, Bursztein, Karpman, Albertini, and Markov turned this into the SHAttered attack in 2017 (two PDFs with the same SHA-1, computed at ~263 work). In 2020, Leurent and Peyrin made chosen-prefix SHA-1 collisions practical , the same primitive that let Flame forge a Windows code signature in 2012, now applicable to SHA-1.
Length-extension caveat
Same Merkle-Damgård story as SHA-256: if you use raw SHA-1 as a MAC, you leak the ability to extend. Use HMAC-SHA-1 for protocol compatibility; prefer HMAC-SHA-256 for new designs.
Try it
The multi-algorithm hasher includes SHA-1 alongside SHA-256, SHA-3, and BLAKE2/3 so you can see how its digest length and bit pattern compare.
References
- NIST FIPS 180-4 , Secure Hash Standard
- SHAttered (Stevens et al., 2017) , first SHA-1 collision
- Leurent & Peyrin, “SHA-1 is a Shambles” (2020) , practical chosen-prefix collisions
- libsha1dc , Git’s collision-detecting SHA-1
- RFC 3174 , US Secure Hash Algorithm 1 (SHA-1)
Visualize
SHA-1 on your input
11 bytes · 0-bit digest
Hex digest
Bit grid (0 bits, teal = 1, slate = 0)
Byte pixel art (0 bytes, hue = byte value mod 360°)
Avalanche , flipping the lowest bit of the first input byte changed 0 of 0 output bits
Quick quiz
Test yourself on sha-1
10 multiple-choice questions. Pick an answer for each, then submit to see explanations.
Q1.What is the output size of SHA-1?
Q2.Who originally designed SHA-1?
Q3.What was SHA-1 a fix for?
Q4.What year was the first SHA-1 collision (SHAttered) published?
Q5.What 2020 result made SHA-1 chosen-prefix collisions practical?
Q6.Which version control system relies on SHA-1 for object IDs?
Q7.How does Git mitigate the SHAttered attack family?
Q8.Approximate work factor of the SHAttered collision attack against SHA-1?
Q9.Is HMAC-SHA-1 currently considered broken?
Q10.Which use of SHA-1 is still considered acceptable today?