What is SHA-1?

Definition of SHA-1 and How It's Used to Verify Data

Picture of Einstein's general theory of relativity
© David Silverman / Getty Images News / Getty Images

SHA-1 (short for Secure Hash Algorithm) is one of several cryptographic hash functions.

SHA-1 is most often used to verify that a file has been unaltered. This is done by producing a checksum before the file has been transmitted, and then again once it reaches its destination.

The transmitted file can be considered genuine only if both checksums are identical.

History & Vulnerabilities of the SHA Hash Function

SHA-1 is only one of the four algorithms in the Secure Hash Algorithm (SHA) family.

Most were developed by the US National Security Agency (NSA) and published by the National Institute of Standards and Technology (NIST).

SHA-0 has a 160-bit message digest (hash value) size and was the first version of this algorithm. SHA-0 hash values are 40 digits long. It was published as the name "SHA" in 1993 but wasn't used in many applications because it was quickly replaced with SHA-1 in 1995 due to a security flaw.

SHA-1 is the second iteration of this cryptographic hash function. SHA-1 also has a message digest of 160 bits and sought to increase security by fixing a weakness found in SHA-0. However, in 2005, SHA-1 was also found to be insecure.

Once cryptographic weaknesses were found in SHA-1, NIST made a statement in 2006 encouraging federal agencies to adopt the use of SHA-2 by the year 2010. SHA-2 is stronger than SHA-1 and attacks made against SHA-2 are unlikely to happen with current computing power.

Not only federal agencies, but even companies like Google, Mozilla, and Microsoft have all said that they will stop accepting SHA-1 SSL certificates by the year 2017.

SHA-2 & SHA-3

SHA-2 was published in 2001, several years after SHA-1. SHA-2 includes six hash functions with varying digest sizes: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA-512/256.

Developed by non-NSA designers and released by NIST in 2015 is another member of the Secure Hash Algorithm family, called SHA-3 (formerly Keccak).

SHA-3 isn't meant to replace SHA-2 like the previous versions were meant to replace earlier ones. Instead, SHA-3 was developed just as another alternative to SHA-0, SHA-1, and MD5.

How is SHA-1 Used?

One real-world example where SHA-1 may be used is when you're entering your password into a website's login page. Though it happens in the background without your knowledge, it may be the method a website uses to securely verify that your password is authentic.

In this example, imagine you're trying to login to a website you often visit. Each time you request to log on, you're required to enter in your username and password. 

If the website uses the SHA-1 cryptographic hash function, it means your password is turned into a checksum after you enter it in. That checksum is then compared with the checksum that's stored on the website. If the two match, you're granted access; if they don't, you're told the password is incorrect.

Another example where the SHA-1 hash function may be used is for file verification. Some websites will provide the SHA-1 checksum of the file on the download page so that when you download the file, you can check the checksum for yourself to ensure that the downloaded file is the same as the one you intended to downloaded.

See my How to Verify File Integrity in Windows with FCIV for a short tutorial on this process.

You may also want to check that the two files are identical if you're installing a service pack or some other program or update because problems occur if some of the files are missing during installation.

SHA-1 Checksum Calculators

A special kind of calculator can be used to determine the checksum of a file or group of characters.

For example, SHA1 Online is a free online tool that can generate the SHA-1 checksum of any group of text, symbols, and numbers.

See my What is a Checksum? for some other free tools that can find the checksum of actual files on your computer and not just a string of text.