Is storing of passwords in sha-1 hashing secure?

IToolkit August 29, 2023 3 min read Hash Encoding
Examines if SHA-1 hashing is still secure for password storage given new vulnerabilities, and discusses stronger alternatives like bcrypt and best practices.
On this page
Is storing of passwords in sha-1 hashing secure?

Excerpt

SHA-1 hashing for passwords is no longer recommended due to weaknesses enabling brute force attacks. More secure alternatives like bcrypt and scrypt are now preferred.

Introduction

In today’s digital world, password security is paramount. Hashing algorithms are commonly used to securely store password data. SHA-1 has been one of the most widely used hashing functions. However, security researchers have found vulnerabilities in SHA-1. This raises the question - is SHA-1 hashing still considered secure for password storage? This blog examines SHA-1 and its weaknesses, alternatives for password hashing, real-world breaches, and best practices for robust security.

What is SHA-1 Hashing?

SHA-1 or Secure Hash Algorithm 1 is a cryptographic hash function designed by the NSA. It takes an input string like a password and generates a 160-bit hash value. This hash value can then be stored instead of the actual password.

SHA-1 is fast to compute. Historically it was considered strong enough against brute force attacks. These made SHA-1 a popular choice for password hashing.

The Security Concerns with SHA-1 Hashing

In recent years, new attacks have exposed vulnerabilities in SHA-1:

  • Mathematical weaknesses make it possible to find SHA-1 collisions - two inputs with the same hash. This enables an attacker to potentially access accounts by finding a password that matches a compromised SHA-1 hash.

  • With modern GPUs, it has become trivial to brute force crack SHA-1 hashes and reveal the original passwords.

  • Organizations using unsalted SHA-1 hashes were left vulnerable to rainbow table attacks.

Overall, SHA-1 cannot be considered a secure algorithm for password storage anymore.

Alternatives to SHA-1 Hashing

More secure password hashing algorithms available today include:

  • SHA-256 - Offers 256-bit hashes and is cryptographically stronger against collisions.

  • bcrypt - Uses salts and configurable rounds of encryption to resist brute force attacks.

  • scrypt - Also utilizes salts and is memory-hard to make password cracking extremely slow.

These modern algorithms offer much better protection compared to SHA-1.

Case Studies and Real-World Examples

Several incidents have exposed the weaknesses of SHA-1 for password security:

  • LinkedIn - Used unsalted SHA-1 hashes which were quickly cracked by hackers, compromising millions of passwords.

  • Gawker - SHA-1 hashes were leaked which allowed easy decryption of user passwords using GPUs.

  • Dropbox - Also used plain SHA-1 hashing leaving passwords vulnerable if hashes were obtained.

These breaches demonstrate how using SHA-1 hashing can be disastrous if password databases are compromised.

Best Practices for Password Storage

To maximize password security, organizations should:

  • Use secure hashing algorithms like bcrypt or scrypt with added salt.

  • Enforce password complexity policies - longer passwords with complex character requirements.

  • Implement multi-factor authentication as an additional layer of security.

  • Limit login attempts to prevent brute force attacks.

  • Regularly audit and patch systems to address emerging threats proactively.

For users, having unique passwords for each service and using a password manager helps prevent password reuse across breached databases.

Conclusion

In summary, SHA-1 hashing is no longer considered secure for password storage due to cryptographic weaknesses enabling brute force and collision attacks. Alternatives like SHA-256, bcrypt and scrypt are recommended. Combined with strong passwords and multifactor authentication, password security can be significantly enhanced against modern threats.

Amanda August 29, 2023 4 min read Blog
What's the most known/popular hashing algorithm?
What's the most known/popular hashing algorithm?
Hash Encoding Decoding
Compares popular hashing algorithms like MD5, SHA-1, SHA-256, bcrypt and scrypt. It explains SHA-256 is currently the most widely used secure algorithm.
IToolkit August 24, 2023 4 min read Blog
What is SHA256 code?
What is SHA256 code?
Hash Encoding Decoding
Learn about the definition, working principle, applications, advantages, and limitations of sha256 code in cryptography and various fields.
Amanda August 30, 2023 4 min read Blog
What is the Algorithm Used to Generate SHA-512 Hashes?
What is the Algorithm Used to Generate SHA-512 Hashes?
Hash Encoding Decoding
Learn about the algorithm used to generate SHA-512 hashes, its strengths and weaknesses, and its applications in data security.
Mia August 24, 2023 3 min read Blog
What is a Simple, Secure Mental Hashing Algorithm?
What is a Simple, Secure Mental Hashing Algorithm?
Hash Encoding Decoding
This article explains mental hashing algorithms, provides an example algorithm, and discusses considerations for simplicity, security, benefits and limitations.
Mia August 30, 2023 3 min read Blog
How to go about decrypting SHA's?
How to go about decrypting SHA's?
Hash
Learn about the process of decrypting SHA hashes and the tools used for it. Explore the ethical considerations and best practices for password security.
Mia August 29, 2023 3 min read Blog
Why was LinkedIn using unsalted SHA-1 to hash passwords?
Why was LinkedIn using unsalted SHA-1 to hash passwords?
Hash
This article examines why LinkedIn used insecure unsalted SHA-1 for password hashing, the risks it posed, LinkedIn's response, and lessons learned.
Amanda August 24, 2023 6 min read Blog
Argon2i, SHA512, or Bcrypt? Which is the best?
Argon2i, SHA512, or Bcrypt? Which is the best?
Hash
A comparison of Argon2i, SHA512, and Bcrypt password hashing algorithms to determine the best one for secure password storage.
Davy August 23, 2023 3 min read Blog
What is the Difference Between MD5, SHA-1 and SHA-2?
What is the Difference Between MD5, SHA-1 and SHA-2?
Hash
Learn about the differences between MD5, SHA-1, and SHA-2 hashing algorithms. Explore their definitions, vulnerabilities, and recommended use cases.
Davy August 21, 2023 3 min read Blog
What is pbkdf2withhmacsha1?
What is pbkdf2withhmacsha1?
Hash
PBKDF2withHMACSHA1 combines key derivation and hashing techniques to significantly strengthen password security protections.
IToolkit August 30, 2023 4 min read Blog
How to Get a Text from a SHA-256 Hash?
How to Get a Text from a SHA-256 Hash?
Hash Encoding Decoding
This blog examines why reversing a SHA-256 hash to get the original text is considered practically impossible with current technology.