YoSin Tools

SHA1 Hash Generator

Calculate SHA-1 hashes instantly online. Supports UTF-8, UTF-16, Hex, and Base64 input encodings. Enable HMAC-SHA1 with a secret key for message authentication codes.

Input
Output
Share Link
Settings
Hash

Related Hash Tools

SHA1 FileHash from file MD5128-bit hash MD4128-bit hash MD2128-bit hash CRCCyclic checksum

Frequently Asked Questions

What is SHA1?
SHA-1 (Secure Hash Algorithm 1) was designed by the NSA and published by NIST in 1995. It produces a 160-bit (40 hex character) digest and was the dominant hash algorithm for over a decade. Practical collision attacks were demonstrated in 2017, ending its use in security-critical applications.
SHA1 vs MD5 — which is better?
SHA-1 produces a larger 160-bit digest (vs MD5's 128-bit), making it slightly more collision-resistant. Both are broken for cryptographic security. For non-security checksums, either works. For security purposes, use SHA-256 or SHA-3.
Is SHA1 still used in Git?
Yes. Git uses SHA-1 to identify commits, blobs, trees, and tags. A migration to SHA-256 (Git 2.29+) is underway, but SHA-1 remains the default in most repositories. In Git's threat model, SHA-1 collisions require an attacker to control repository writes, so the practical risk is limited.
What is HMAC-SHA1?
HMAC-SHA1 combines SHA-1 with a secret key using the HMAC construction. It remains secure for message authentication even though SHA-1 itself is broken, because HMAC's security relies on the PRF properties of the hash, not just collision resistance. It is used in OAuth 1.0 and many legacy protocols.

About SHA1 Hash Generator

SHA-1 (Secure Hash Algorithm 1) was published by NIST in 1995 as Federal Information Processing Standard 180-1. It produces a 160-bit (20-byte) message digest by processing input in 512-bit blocks through 80 rounds of bitwise operations across four stages. For over a decade it was the most widely used cryptographic hash function in TLS certificates, code signing, and software distribution.

The SHAttered Collision

In February 2017, researchers at Google and CWI Amsterdam published "SHAttered" — the first practical SHA-1 collision. They produced two different PDF files with identical SHA-1 hashes, requiring approximately 9.2 × 10¹⁸ SHA-1 computations. This definitively ended SHA-1's use in X.509 certificates and code signing. All major browsers now reject SHA-1 TLS certificates.

SHA1 in Git

Git identifies every object (commit, tree, blob, tag) by its SHA-1 hash. Despite the SHAttered attack, Git's use is considered acceptable because generating a collision requires controlling the contents of both files — an attacker who can already write to your repository does not need a collision attack. Git is actively migrating to SHA-256 as a long-term solution.

HMAC-SHA1

HMAC-SHA1 remains secure for message authentication. OAuth 1.0, many TOTP (time-based one-time password) implementations, and various legacy APIs still use HMAC-SHA1. The HMAC construction's security does not require collision resistance — it relies on SHA-1 behaving as a pseudorandom function when keyed, a property that has not been broken.

When to Use SHA1 Today

Use SHA-1 only for legacy compatibility — matching checksums published before 2017, interoperating with systems that require it, or working with Git internals. For all new applications, SHA-256 (from the SHA-2 family) or SHA3-256 is the recommended choice.