Generate and verify SHA-1 hashes with this online cryptographic tool
SHA-1 is considered cryptographically broken and unsuitable for security applications. For security-critical purposes, use SHA-256 or SHA-512 instead.
SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function designed by the National Security Agency (NSA) and published by the National Institute of Standards and Technology (NIST) in 1995. It produces a 160-bit (20-byte) hash value typically rendered as a 40-character hexadecimal number.
SHA-1 was developed as an improvement to the earlier MD5 algorithm, which had begun showing signs of weakness. For many years, SHA-1 was widely used across the internet for security applications including:
However, theoretical weaknesses were identified in SHA-1 as early as 2005. By 2017, researchers from Google and CWI Amsterdam demonstrated the first practical collision attack, creating two different PDF files with identical SHA-1 hashes. This milestone, known as the "SHAttered" attack, definitively proved SHA-1's insecurity for cryptographic applications.
As of 2025, SHA-1 is considered cryptographically broken. Major browsers no longer accept SSL certificates signed with SHA-1, and security standards have deprecated its use. For security applications, newer algorithms like SHA-256 or SHA-3 should be used instead.
SHA-1 processes input data in blocks of 512 bits (64 bytes) and maintains a 160-bit internal state. Here's a simplified overview of the algorithm:
Before processing begins, the input message is padded so that its length is congruent to 448 modulo 512. This is achieved by appending a single '1' bit followed by the necessary number of '0' bits. Then, a 64-bit representation of the original message length is appended, making the total padded message length a multiple of 512 bits.
SHA-1 begins with five 32-bit constants as the initial hash values:
h0 = 0x67452301
h1 = 0xEFCDAB89
h2 = 0x98BADCFE
h3 = 0x10325476
h4 = 0xC3D2E1F0
For each 512-bit block of the padded message:
a = h0, b = h1, c = h2, d = h3, e = h4
for i from 0 to 79:
if 0 ≤ i ≤ 19:
f = (b AND c) OR ((NOT b) AND d)
k = 0x5A827999
else if 20 ≤ i ≤ 39:
f = b XOR c XOR d
k = 0x6ED9EBA1
else if 40 ≤ i ≤ 59:
f = (b AND c) OR (b AND d) OR (c AND d)
k = 0x8F1BBCDC
else if 60 ≤ i ≤ 79:
f = b XOR c XOR d
k = 0xCA62C1D6
temp = (a <<< 5) + f + e + k + W[i]
e = d
d = c
c = b <<< 30
b = a
a = temp
h0 = h0 + a
h1 = h1 + b
h2 = h2 + c
h3 = h3 + d
h4 = h4 + e
The final 160-bit hash value is produced by concatenating the five 32-bit words:
SHA-1(message) = h0 || h1 || h2 || h3 || h4
A collision occurs when two different inputs produce the same hash value. For secure cryptographic hash functions, finding such collisions should be computationally infeasible. However, SHA-1 has proven vulnerable to collision attacks:
In 2017, researchers created two different PDF files with the same SHA-1 hash. This demonstrated that attackers could potentially create malicious files (like malware) that have the same hash as legitimate files, undermining security systems that rely on SHA-1 for verification.
You can see the collision demonstration at shattered.io.
Like other Merkle–Damgård construction hash functions, SHA-1 is vulnerable to length extension attacks. If an attacker knows the hash H(M) of a message M, they can compute H(M || padding || N) for any additional data N without knowing the original message M. This vulnerability affects applications that use SHA-1 in naive message authentication schemes.
Despite its known vulnerabilities, SHA-1 remains in use in some legacy systems and applications:
For security-critical applications, the following alternatives are recommended:
HMAC (Hash-based Message Authentication Code) with SHA-1 creates HMAC-SHA1, which is a construction used for message authentication. The HMAC construction largely mitigates the collision vulnerabilities of SHA-1 when used for message authentication purposes.
HMAC(K, m) = SHA1((K' ⊕ opad) || SHA1((K' ⊕ ipad) || m))
Where:
- K is the secret key
- K' is the key derived from K (padded or hashed as needed)
- opad is the outer padding (0x5C repeated)
- ipad is the inner padding (0x36 repeated)
- ⊕ is XOR operation
- || is concatenation
Despite the added security from the HMAC construction, modern security standards recommend migrating from HMAC-SHA1 to HMAC-SHA256 or other stronger alternatives for new applications.
| Hash Function | Output Size | Security Status | Performance | Best Use Cases |
|---|---|---|---|---|
| MD5 | 128 bits | Broken (trivial collisions) | Very Fast | Non-security checksums only |
| SHA-1 | 160 bits | Broken (practical collisions) | Fast | Legacy compatibility only |
| SHA-256 | 256 bits | Secure | Moderate | General cryptographic applications |
| SHA-512 | 512 bits | Highly Secure | Fast on 64-bit systems | High-security applications |
| SHA-3 | 224-512 bits | Highly Secure | Varies | Future-proof applications |
While SHA-1 is deprecated for security-critical applications, it may still be acceptable in certain limited scenarios:
SHA-1 can be used for basic data integrity checks where there is no adversarial threat model (i.e., where accidental corruption is the only concern).
Some legacy systems may require SHA-1 for compatibility. In these cases, additional security measures should be implemented wherever possible.
In some data structures where collision resistance is not a security requirement but performance matters, SHA-1 may still be used (although modern alternatives like BLAKE2 offer better performance and security).
SHA-1 played a significant role in internet security for many years, but its time has passed. The demonstrated collision attacks against SHA-1 make it unsuitable for any security-critical applications. Modern systems should use SHA-256, SHA-512, or SHA-3 for cryptographic purposes.
This generator tool is provided primarily for educational purposes, testing with legacy systems, and understanding the evolution of cryptographic hash functions. For any new development or security implementation, please use stronger alternatives.