SHA-1 vs SHA-256

One is retired with honors; the other is the working standard. If you're choosing today, choose SHA-256 — here's the record.

SHA-1SHA-256
introduced19952001
output160 bits · 40 hex256 bits · 64 hex
collisionsdemonstrated 2017 (SHAttered)none known
chosen-prefix collisionsdemonstrated 2020 (~$45k of compute then)none known
browser/CA acceptancedropped in 2017universal
NIST statusretiredapproved (FIPS 180-4)
ok for corruption checks?yesyes

How SHA-1 fell

The pattern is the standard one: theoretical weakness (2005) → demonstrated collision (SHAttered, 2017 — two working PDFs, one hash) → chosen-prefix collisions at practical cost ("SHA-1 is a Shambles," 2020). Chosen-prefix is the dangerous grade: it lets an attacker build two chosen documents that collide, which is how signatures and certificates get forged. Infrastructure moved before the demos landed — browsers rejected SHA-1 certificates from 2017 — and the price of the attack only falls each year.

The git asterisk

The most-cited SHA-1 holdout is git, which names every commit and blob with it. Two mitigations keep that tolerable: git's default hasher detects the known collision-attack patterns and rejects them, and a full SHA-256 object format exists for new repositories (interop with the wider SHA-1 ecosystem is still the friction). It's a managed legacy, not an endorsement — nobody designing a new system in 2026 reaches for SHA-1.

Practical guidance

Old release page listing 40-character hashes? Verify against them — corruption detection still works, and the verify tool recognizes SHA-1 by length automatically. Anything you build, publish or configure: SHA-256. Speed hasn't been a differentiator since CPUs grew SHA-256 instructions, and everything that reads checksums expects 64 characters now. The MD5 comparison tells the same story from further back; what is a checksum covers what these checks prove in the first place.

questions

What exactly broke SHA-1?

Collisions became practical: SHAttered (2017) produced two different PDFs with the same SHA-1, and "SHA-1 is a Shambles" (2020) demonstrated chosen-prefix collisions — the kind that forge certificates. Browsers and certificate authorities had already dropped it before the demos landed.

Is git still using SHA-1?

By default, yes — with a hardened variant that detects the known collision patterns — and git ships an optional SHA-256 object format for new repositories. Ecosystem tooling still assumes SHA-1, so migration is gradual. For git's use (naming your own objects), the risk is modest; for verifying downloads, use SHA-256.

Is SHA-1 okay for checksumming my own files?

It detects accidental corruption fine — collisions require an adversary crafting both inputs. But since SHA-256 is just as available in every tool and API, there's no upside to starting anything new on SHA-1.

Is SHA-256 slower than SHA-1?

Marginally in software, often not at all in practice — most current CPUs accelerate SHA-256 in hardware, and for file checksumming your disk is usually the bottleneck anyway. Speed is no reason to stay on SHA-1.