SHA-1 vs SHA-256
One is retired with honors; the other is the working standard. If you're choosing today, choose SHA-256 — here's the record.
| SHA-1 | SHA-256 | |
|---|---|---|
| introduced | 1995 | 2001 |
| output | 160 bits · 40 hex | 256 bits · 64 hex |
| collisions | demonstrated 2017 (SHAttered) | none known |
| chosen-prefix collisions | demonstrated 2020 (~$45k of compute then) | none known |
| browser/CA acceptance | dropped in 2017 | universal |
| NIST status | retired | approved (FIPS 180-4) |
| ok for corruption checks? | yes | yes |
How SHA-1 fell
The pattern is the standard one: theoretical weakness (2005) → demonstrated collision (SHAttered, 2017 — two working PDFs, one hash) → chosen-prefix collisions at practical cost ("SHA-1 is a Shambles," 2020). Chosen-prefix is the dangerous grade: it lets an attacker build two chosen documents that collide, which is how signatures and certificates get forged. Infrastructure moved before the demos landed — browsers rejected SHA-1 certificates from 2017 — and the price of the attack only falls each year.
The git asterisk
The most-cited SHA-1 holdout is git, which names every commit and blob with it. Two mitigations keep that tolerable: git's default hasher detects the known collision-attack patterns and rejects them, and a full SHA-256 object format exists for new repositories (interop with the wider SHA-1 ecosystem is still the friction). It's a managed legacy, not an endorsement — nobody designing a new system in 2026 reaches for SHA-1.
Practical guidance
Old release page listing 40-character hashes? Verify against them — corruption detection still works, and the verify tool recognizes SHA-1 by length automatically. Anything you build, publish or configure: SHA-256. Speed hasn't been a differentiator since CPUs grew SHA-256 instructions, and everything that reads checksums expects 64 characters now. The MD5 comparison tells the same story from further back; what is a checksum covers what these checks prove in the first place.
questions
What exactly broke SHA-1?
Collisions became practical: SHAttered (2017) produced two different PDFs with the same SHA-1, and "SHA-1 is a Shambles" (2020) demonstrated chosen-prefix collisions — the kind that forge certificates. Browsers and certificate authorities had already dropped it before the demos landed.
Is git still using SHA-1?
By default, yes — with a hardened variant that detects the known collision patterns — and git ships an optional SHA-256 object format for new repositories. Ecosystem tooling still assumes SHA-1, so migration is gradual. For git's use (naming your own objects), the risk is modest; for verifying downloads, use SHA-256.
Is SHA-1 okay for checksumming my own files?
It detects accidental corruption fine — collisions require an adversary crafting both inputs. But since SHA-256 is just as available in every tool and API, there's no upside to starting anything new on SHA-1.
Is SHA-256 slower than SHA-1?
Marginally in software, often not at all in practice — most current CPUs accelerate SHA-256 in hardware, and for file checksumming your disk is usually the bottleneck anyway. Speed is no reason to stay on SHA-1.