Comparison
SHA-1 vs SHA-256: SHA-1 is dead, but Git still uses it
SHA-1: don't use it. SHA-256: yes, for everything.
By Buğra SözeriPublished
TL;DR. SHA-1 is cryptographically broken — a practical collision was demonstrated by Google in 2017 and chosen-prefix attacks became affordable in 2020 — so use SHA-256 for every new security application. Git still uses SHA-1 for object hashes but is migrating; non-security fingerprinting (caches, deduplication) is unaffected.
SHA-1 (160-bit output, 1995) and SHA-2 family (256/384/512-bit outputs, 2001) are both NIST-published cryptographic hash functions. SHA-1 was the dominant integrity hash through the 2000s. It’s now deprecated everywhere security matters — but not yet everywhere.
The headline
| Property | SHA-1 | SHA-256 |
|---|---|---|
| Output size | 160 bits (40 hex chars) | 256 bits (64 hex chars) |
| Published | 1995 (NIST FIPS 180-1) | 2001 (NIST FIPS 180-2) |
| Theoretical collision | 2005 (Wang et al., 2⁶⁹) | None demonstrated |
| Practical collision | 2017 (Google SHAttered, ~$110K cloud cost) | None as of 2026 |
| Status in TLS certificates | Deprecated 2017 | Current standard |
| Status in Git | Still default, migration underway | Opt-in via SHA-256 repos |
| Speed (x86-64) | ~700 MB/s | ~400 MB/s (slower) |
How SHA-1 broke
A cryptographic hash function should make it computationally infeasible to find two inputs that produce the same hash. SHA-1’s 160-bit output gave 2⁸⁰ collision resistance on paper — far beyond brute-force budgets at design time in 1995.
Three milestones eroded that:
- 2005: Wang, Yin, and Yu published a theoretical attack reducing collision search to ~2⁶⁹ operations — still infeasible at the time but a clear warning shot.
- 2017: Google’s SHAttered project demonstrated the first practical SHA-1 collision: two PDFs with the same SHA-1 hash. Cost: ~$110K of GPU compute and 9 quintillion SHA-1 evaluations.
- 2020: Leurent and Peyrin published a chosen-prefix collision attack — given any two arbitrary file headers, append carefully crafted bytes and produce colliding files. Cost: ~$45K in cloud compute. This is the kind of attack that enables forged certificates and spoofed signatures in the wild.
After 2020, SHA-1 is unsuitable for any security purpose where forgery matters.
Where SHA-1 is still acceptable
Non-adversarial fingerprinting — where there’s no attacker incentive to forge collisions — is still fine with SHA-1:
- Git commit and tree object hashes. An attacker forging a collision would need to inject crafted commits and have them accepted into mainstream mirrors. Git also runs SHA-1 detection of known-attack patterns (the SHAttered detection) on every operation, making attack injection visible.
- Content-addressable storage where you control all the inputs (build caches, CDN deduplication).
Even in these cases, SHA-256 is the right default for new systems. The performance gap (SHA-256 is ~40% slower than SHA-1 on most modern CPUs) is irrelevant for almost every workload.
Where SHA-256 is mandatory
- TLS certificate signatures. Browsers stopped accepting SHA-1 in 2017.
- JWT signatures (HS256, RS256, ES256). The 256 is SHA-256.
- Code signing. Microsoft and Apple stopped accepting SHA-1 signatures around 2016-2017.
- Anywhere collision attacks would enable forgery. Document signatures, cryptocurrency, identity proofs.
The Git migration
Git has been migrating to SHA-256 since 2018. The migration is technically straightforward but takes time because every Git server, every CI/CD system, every dependency manager has to support both. Status as of 2026:
- SHA-256 repositories work end-to-end on modern Git.
- GitHub supports SHA-256 repos but defaults to SHA-1 for new repos.
- GitLab and Bitbucket: partial support, varies by version.
- Most CI integrations work with both.
Default behaviour for the Git CLI is still SHA-1. To create a SHA-256 repo: git init --object-format=sha256. Once migration completes — likely 2027-2028 timeframe — the default will flip.
The pragmatic rule
- For new systems: SHA-256. Always. The performance gap doesn’t matter.
- For legacy SHA-1 systems: migrate when feasible, but don’t panic — the threat is real but specific.
- For Git specifically: SHA-1 is fine for now. Watch for SHA-256 to become the default.
- For TLS, code signing, JWT, crypto: SHA-256 was already the only acceptable choice.
Compute both hashes via our hash generator.
Numeric facts
- Hex length: SHA-1 = 40 chars (160 bits); SHA-256 = 64 chars (256 bits); base64url = 27 chars vs 43 chars unpadded.
- Birthday-bound collision resistance: SHA-1 ~2⁸⁰ generic, dropped to ~2⁶¹ after the 2017 SHAttered attack; SHA-256 remains ~2¹²⁸.
- SHAttered cost (2017): 9,223,372,036,854,775,808 SHA-1 evaluations, ~$110,000 in GPU cloud time, 6,500 CPU-years equivalent.
- Chosen-prefix attack (Leurent & Peyrin, 2020): ~$45,000 on AWS — affordable to mid-sized criminal operations.
- Throughput on Intel SHA-NI (Ice Lake / Zen 3+): SHA-1 ~2.1 GB/s/core; SHA-256 ~1.9 GB/s/core — hardware acceleration narrows the gap to ~10%, not 40%.
- Without hardware acceleration: SHA-1 ~700 MB/s vs SHA-256 ~400 MB/s — the legacy ~40% gap people quote.
- Block size: both use 512-bit blocks; SHA-1 produces a 160-bit state, SHA-256 a 256-bit state.
- Browsers in 2017: Chrome 56, Firefox 51, Edge — all stopped accepting SHA-1 TLS certificates on January 24, 2017.
Decision matrix
| Use case | Hash |
|---|---|
| TLS certificate signature | SHA-256 (SHA-1 banned) |
| JWT HS256/RS256/ES256 | SHA-256 |
| HMAC for API request signing | HMAC-SHA-256 |
| Code signing (Authenticode, codesign) | SHA-256 |
| Bitcoin block / address derivation | SHA-256 (double-hashed) |
| Git object hash (legacy repo) | SHA-1 acceptable, with collision detection |
| Git object hash (new repo) | SHA-256 via --object-format=sha256 |
| CDN ETag / cache key | Either; SHA-256 fine on modern CPUs |
| Password hashing | Neither — use argon2id / bcrypt / scrypt |
Sources
- NIST FIPS 180-4 — Secure Hash Standard — csrc.nist.gov/pubs/fips/180-4.
- Stevens, M. et al. — The first collision for full SHA-1, CRYPTO 2017 (SHAttered) — shattered.io.
- Leurent, G. & Peyrin, T. — SHA-1 is a Shambles, USENIX Security 2020 — sha-mbles.github.io.
Frequently asked questions
- Is SHA-1 actually broken?
- Yes — practically since 2017 (Google's SHAttered demonstrated a real PDF collision for $110K of compute) and dramatically since 2020 (chosen-prefix collisions for $45K). Any security use case where an attacker benefits from a forged hash is vulnerable.
- Why does Git still use SHA-1?
- Inertia and a pragmatic threat model. Git's hashes are content-addressable, not security tokens, and the SHAttered detection logic Git ships catches known attack patterns. The SHA-256 migration has been underway since 2018 but every Git server and tool has to support both, which takes time.
- Is SHA-256 slower than SHA-1?
- About 40% slower on most modern CPUs — around 400 MB/s vs 700 MB/s. Both are dominated by I/O for any realistic workload, so the difference is rarely meaningful. Hardware acceleration (Intel SHA extensions, ARMv8 crypto) narrows the gap further.
- Where should I never use SHA-1?
- TLS certificate signatures (browsers stopped accepting them in 2017), JWT signatures, code signing, document signatures, cryptocurrency, identity proofs — anywhere a forged collision would benefit an attacker. SHA-256 or stronger is the only acceptable default for new systems.
Related
Published May 15, 2026