Broken SHA-1

Question

Broken SHA-1

Tanzy opened this issue 7 years ago · comments

How does this fit in with Google breaking SHA-1? We are using it and I need to reassure my boss that our password hashing is OK.

https://shattered.it/

Taylor Hornby · Answer 1 · Tue Feb 28 2017 02:19:24 GMT+0800 (China Standard Time)

The relation between password hashing security and hash function security is kind of complicated. One thing I can say is that password hashing doesn't rely on the "collision resistance" property of the hash function that was recently broken for SHA-1. It relies on "second preimage resistance" and other PRF-like properties. So far, there are no known attacks on SHA-1 that make it unsafe to use for PBKDF2 password hashing. Historically, even for hash functions that have super-low-cost collision attacks like MD4, cryptographers haven't yet found any weaknesses of the sort that would break password hashing. So this library will probably remain safe for many years to come.

What someone using this library today should do is keep using it until a fast native implementation of one of the PHC finalists (Argon2, yescrypt, etc.) becomes available and then switch to that.

Edit: rewrite entire comment to make it more clear (twice).

Ken Lea · Answer 2 · Tue Feb 28 2017 04:59:56 GMT+0800 (China Standard Time)

Thanks for that, much appreciated :)