Is SHA-1 still used anywhere?

Git uses SHA-1 for commit hashing (collision resistance isn't critical for its use case, and migration to SHA-256 is underway). Some legacy systems still use it but should migrate.

SHA-1 vs SHA-256

Differences, use cases, and when to use each

SHA-1 (160-bit) has been deprecated for security use after practical collision attacks were demonstrated in 2017. SHA-256 (256-bit) remains secure and is the recommended replacement.

Quick Comparison

Feature	SHA-1	SHA-256
Hash Size	160-bit (40 hex chars)	256-bit (64 hex chars)
Security	Deprecated (collisions demonstrated)	Secure
Git Usage	Used by Git (being migrated)	Git's migration target
Certificate Usage	Rejected by browsers since 2017	Current standard

When to Use Each

When to Use SHA-1

Avoid SHA-1 for new applications. It's only acceptable in legacy systems being migrated, and in Git (which is transitioning to SHA-256).

When to Use SHA-256

Use SHA-256 as the default hash function for all new applications. It's secure, widely supported, and the recommended standard by NIST.

Pros & Cons

SHA-1

Faster than SHA-256

Shorter output

Deprecated for security

Collision attacks demonstrated

SHA-256

Cryptographically secure

NIST recommended

Long-term security

Slightly slower

Longer hash strings

Verdict

Always use SHA-256 over SHA-1. SHA-1 is deprecated by NIST, rejected by browsers, and has demonstrated collisions. The performance difference is negligible.

Try the Tools

Hash Generator

Frequently Asked Questions

Related Comparisons

MD5 vs SHA-256 SHA-256 vs SHA-512

All Guides All Tools