Why SHA-1 Is Broken — and What Replaced It

SHA-1 was published in 1995 and quickly became the default cryptographic hash for everything: TLS certificates, Git commits, code signing, password storage, file integrity. By 2005 it was theoretically broken. By 2017 it was practically broken. By 2022 NIST formally retired it. Here is the timeline of how a 160-bit hash went from industry standard to forensic curiosity.

What "Broken" Actually Means

A cryptographic hash needs three properties: pre-image resistance (you can't reverse it), second pre-image resistance (given input A, you can't find a different input B that hashes to the same value), and collision resistance (you can't find any two inputs that hash to the same value).

Collision resistance is the weakest of the three — birthday attacks mean a 160-bit hash should resist collisions only up to about 2^80 work. That sounds enormous, but cryptanalytic shortcuts can erode it. SHA-1's break is specifically a collision attack: nobody can reverse a SHA-1 hash, but they can craft two different files that share one.

2005: The First Crack

Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu published an attack reducing SHA-1 collision search from 2^80 to 2^69 operations. That's still well beyond consumer hardware in 2005, but it broke the "ideal" security claim. From that point on, anyone designing new systems was advised to move to SHA-2.

This was a theoretical break. It signalled that SHA-1 was on the path to becoming unsafe, but exploiting it required nation-state computing budgets.

2017: SHAttered

Google and CWI Amsterdam published the first practical SHA-1 collision: two PDF files with identical SHA-1 hashes but different visible content. The attack required roughly 2^63 SHA-1 evaluations — about 6,500 CPU-years and 110 GPU-years, or six months of compute on Google's infrastructure. That's expensive, but very much within reach of well-funded organisations.

The PDFs were the proof-of-concept. The implication was that any system relying on SHA-1 to distinguish documents — code-signing, certificate revocation, version control — could be subverted by anyone with the budget to rent a moderate amount of cloud compute.

2020: SHAmbles

SHAttered was an "identical-prefix" collision: both PDFs had to share the same starting bytes. That limits its practical use. Three years later, Leurent and Peyrin published SHAmbles — the first chosen-prefix collision on SHA-1, where an attacker could pick two arbitrary prefixes and then find suffixes that made the hashes match.

Chosen-prefix is the dangerous variant. It enables forging certificates: an attacker can take a legitimate certificate request and a malicious one, run the attack, and end up with a CA-signed certificate that's also valid for the malicious data. The cost dropped to roughly $45,000 of cloud compute. Affordable for any motivated attacker.

The same paper demonstrated forging a PGP key in the legacy web of trust. SHA-1 was now practically dangerous in any role where collisions mattered.

What Got Migrated

• TLS certificates — major browsers stopped trusting SHA-1 certificates by 2017
• Code signing — Microsoft Authenticode and Apple deprecated SHA-1 by 2020
• Git — moved from SHA-1 to a SHA-256 transition in 2018; full SHA-256 support shipped progressively through 2020-2024
• OpenPGP / GnuPG — modern keys default to SHA-2; SHA-1 signatures no longer trusted by default
• SSH — ssh-rsa with SHA-1 signatures was disabled by default in OpenSSH 8.8 (2021)

Where SHA-1 Still Lingers

SHA-1 is still safe for a few non-collision-sensitive uses. HMAC-SHA-1 is still considered secure (HMAC's structure means even hashes with broken collision resistance remain safe inside HMAC). PBKDF2-SHA-1 is still acceptable for password storage, though there's no good reason to choose it over SHA-256 in new code. Git's default SHA-1 mode is also still in use, with mitigations (the "hardened SHA-1" variant detects the known collision attack patterns).

For everything else — file integrity checks, certificate signing, anything where two files matching means anything — SHA-1 is dead. Use SHA-256 or SHA-3 instead.

The Lesson

Hash functions don't fail suddenly. They erode. The interval between "academically broken" (2005) and "practically dangerous" (2020) was fifteen years — enough warning to migrate, but only if you were paying attention. SHA-256 is currently sound, but the pattern repeats: once a hash family is in widespread use, cryptanalysts spend decades chipping away at it. Build systems with hash agility — the ability to swap algorithms without rewriting half the code — and you'll thank yourself when the next break lands.