Skip to content
Advertisement

How insecure is a salted SHA1 compared to a salted SHA512

SHA1 is completely insecure and should be replaced.

This question is 8+ years old and times have changed: https://arstechnica.com/information-technology/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/

For passwords: https://en.wikipedia.org/wiki/PBKDF2

For data: SHA3


SHA512 is more complex than SHA1, but how much security am I losing by hashing a salted password with SHA1 compared to hashing it with 512? in terms of the time it would take for someone who has the db to crack a single password. I’m using a framework that doesn’t give me easy access to SHA512, I’d have to override stuff to make it work, so I’m thinking to just use SHA1, though in the past I’ve always used SHA512.

Advertisement

Answer

The currently known weaknesses on SHA-1 do not impact the security of what you are trying to do. Impossibility to recover the password from its hashed version relies on “preimage resistance” which is, as far as we know, still fully infeasible with SHA-1. It is also fully infeasible with SHA-512, SHA-256, or even MD4 or MD5. A Sci-Fi oriented mind may envision computers achieving the power to find preimages for MD4 or MD5 around year 2050; it will take much longer for SHA-1.

Now it so happens that while there is no known shortcut to computing preimages on SHA-1, there is little security proof either. In mathematical words, if the compression function used in SHA-1 is indistinguishable from a “random oracle” then it is secure against preimages. But the known weaknesses on SHA-1, which (theoretically) leads to collisions, also show that its compression function is not a random oracle. Therefore, the security of SHA-1 against preimages is no longer of the “there’s good mathematical reason why it does not break” persuasion. It is more of the “meh, haven’t found how to break it yet” kind.

In more mundane words, if you use SHA-1 then you will probably have to justify yourselves. Even if you do nothing wrong, your choice of SHA-1 will be questioned. Whereas nobody would question using SHA-256 or SHA-512, even if it implies some development overhead. Briefly stated, using SHA-1 is bad public relations.

Note that salting is fully orthogonal to that question. Salting is meant to prevent cost sharing between attacks on distinct password instances. Precomputed tables (including so-called “rainbow tables”) are a kind of sharing (the table building is expensive but can be used to attack 2, 10, 10000 passwords at minor extra cost per attacked password). Salting defeats sharing. Salting is good. Defeating sharing is important because attacking one password is possible: not because of the hash function, but because a password is something which fits in a human brain, and therefore is amenable to brute force (a “dictionary attack”). With anything related to passwords, you will not get problems due to weaknesses in hash functions, but because you use passwords in the first place.

User contributions licensed under: CC BY-SA
4 People found this is helpful
Advertisement