SHA-1 and MD5 Hashes

[Darren Dirt]

MDA5 sure, but I thought SHA1 is still pretty good for most non-DoD purposes -- are you sure you're not just thinking of the original SHA-0?

The three SHA algorithms are structured differently and are distinguished as SHA-0, SHA-1, and SHA-2. SHA-1 is very similar to SHA-0, but corrects an error in the original SHA hash specification that led to significant weaknesses. The SHA-0 algorithm was not adopted by many applications. SHA-2 on the other hand significantly differs from the SHA-1 hash function.

I still think it's nice to know about an easy-to-find JS version (esp. as part of a larger library of JS functions that might not be standard part of the language nor of jQuery) http://phpjs.org/functions/sha1:512

[Mr. Analog]

I've used SHA-1 to generate random numbers and the like but I wouldn't actually use it for cryptography...

http://www.schneier.com/blog/archives/2005/02/sha1_broken.html

[Thorin]

No, the cryptographers have been recommending using SHA256 since I was at Upside (nine years ago!).  SHA256 and SHA512 (what they're now recommending) are both part of the SHA-2 specification.  I remember reading the NSA is working on an SHA-3 specification that's supposed to increase the complexity by many times, to counteract the faster computing power since SHA-2 came out (2001?  2002?).

[Darren Dirt]

Well it's weird that the Wikipedia opening paragraph for MD5 makes it really clear that it's broken, and suggests/linksto the SHA-1 article. But on the SHA-1 article it talks about how it is a solution to the problems of SHA-0.

I get the impression that SHA-1 is still fine for something quick and not super-critical like hashing a user's password+salt into your database (rather than MD5)... but it's not like I've spent a bunch of time comparing modern hash algorithms Even Google has offered its own improvement on what others have been working on: http://google-opensource.blogspot.ca/search/label/cityhash but overall I wonder if most developers just end up using  SHA-1 since it's easy to find an implementation and runs not very slow and is way better than MD5?

http://www.schneier.com/blog/archives/2005/02/sha1_broken.html

"It pretty much puts a bullet into SHA-1 as a hash function for digital signatures (although it doesn't affect applications such as HMAC where collisions aren't important"


Hmmm... So w/e, thanks for the links guys, interesting to know -- but I don't want this thread to become an encryption discussion 

[Thorin]

Hmmm... So w/e, thanks for the links guys, interesting to know -- but I don't want this thread to become an encryption discussion 

aww but!  This is the kind of technical nerdity we can all really sink our teeth into!  But yeah, it'd definitely be off-topic.

[Darren Dirt]

Hmmm... So w/e, thanks for the links guys, interesting to know -- but I don't want this thread to become an encryption discussion 

aww but!  This is the kind of technical nerdity we can all really sink our teeth into!  But yeah, it'd definitely be off-topic.

"While SHA-1 has not been compromised in real-world conditions, SHA-256 is not much more complex to code, and has not yet been compromised in any way." http://www.movable-type.co.uk/scripts/sha256.html
okay there, /discussion.

[Lazybones]

Basically SHA1 has replaced md5 as the CHEAPEST hash for utility tasks, mostly because it is reliably implemented in so many libraries and is readily available.

However that doesn't dismiss the fact that for high security it is weak and should not be used for critical security uses.

[Darren Dirt]

-moved-

[Mr. Analog]

C'mon, LinkedIn password hack back in June, obviously a bit more than one point of failure but still a case where SHA-1 was broken to gain info IRL.

http://www.pcworld.com/article/257045/update_linkedin_confirms_account_passwords_hacked.html

[Mr. Analog]

Split topic for obvious reasons.

Where's the hook? COZ WE OFF IT BOY

[Lazybones]

C'mon, LinkedIn password hack back in June, obviously a bit more than one point of failure but still a case where SHA-1 was broken to gain info IRL.

http://www.pcworld.com/article/257045/update_linkedin_confirms_account_passwords_hacked.html

Rainbow tables can be made for any hash, it didn't have anything to do with the sha1 being broken... broken indicates you could simply generate a collision to access the system knowing the hash.

linkedin was all about the weak common passwords lacking salt.

[Thorin]

Jebus, I ended up on a page describing latent fingerprint examination thanks to this thread.

[Darren Dirt]

Jebus, I ended up on a page describing latent fingerprint examination thanks to this thread.

speaking of which: Dark Knight Rises -- Great Movie, or Greatest Movie?

[Mr. Analog]

Jebus, I ended up on a page describing latent fingerprint examination thanks to this thread.

speaking of which: Dark Knight Rises -- Great Movie, or Greatest Movie?

It's the worst period drama I've ever seen.

[Thorin]

Oh good, we split this from the original thread to keep it and this on topic.

[Mr. Analog]

Oh good, we split this from the original thread to keep it and this on topic.

Well orphaned thread, orphaned Bruace Wayne

(this is the Batmaaaaaaaan of threads)

[Lazybones]

Back where my post got cut of, the point was that linkedin was a due to lack of salt and weak passwords, not a flaw in sha1, there just happen to be handy sha1 tables.

However GPU acceleration, SSD drives and well purchasing cloud power make it trivial to generate large rainbow tables for almost any hash as long as they are not salted, or even better uniquely salted as then each password needs its own table assuming you know the salt..

You still can't easily generate a collision for sha1 although it is possible in theory.

[Darren Dirt]

Oh good, we split this from the original thread to keep it and this on topic.

Oh good, you saw what I did there. 

Got it out of my system now. Worry not.


Back on topic... Yeah, salt ftw, fo sho.

[Mr. Analog]

Oh good, we split this from the original thread to keep it and this on topic.

Oh good, you saw what I did there. 

Got it out of my system now. Worry not.


Back on topic... Yeah, salt ftw, fo sho.

Truly one of Angelina Jolie's best roles.

[Darren Dirt]

...who was also in HACKERS zomg this is getting freaky bro...

[Mr. Analog]

...who was also in HACKERS zomg this is getting freaky bro...

See what I did there

Now rearrange all the letters in this thread for a secret message!

[Tom]

...who was also in HACKERS zomg this is getting freaky bro...

See what I did there

Now rearrange all the letters in this thread for a secret message!

"The quick brown fox jumps over the lazy dog"

What does it mean

[Mr. Analog]

...who was also in HACKERS zomg this is getting freaky bro...

See what I did there

Now rearrange all the letters in this thread for a secret message!

"The quick brown fox jumps over the lazy dog"

What does it mean

"BUY MORE OVALTINE"

Oh maaaaan!

[Darren Dirt]

this thread.

[Mr. Analog]

I'm glad I split it more than ever now hahaha