The padlock in your browser's address bar, the 40-character string in every Git commit, the "SHA-256 checksum" on every download page — SHA is everywhere. But SHA is not a single algorithm. It is a family of hash functions, and choosing the wrong one — or misunderstanding what any of them do — is a surprisingly common source of security mistakes.
1. Origins of SHA
SHA (Secure Hash Algorithm) was designed by the NSA and published by NIST as a Federal Information Processing Standard (FIPS). The family's history:
- 1993: SHA-0 published, quickly withdrawn due to a design flaw
- 1995: SHA-1 published, fixing SHA-0's weakness; 160-bit output
- 2001: SHA-2 family published (SHA-256, SHA-512, and variants)
- 2015: SHA-3 (Keccak) standardized as FIPS 202, offering a structurally different alternative to SHA-2
Like MD5, SHA produces a one-way digest — there is no key, no decryption, and no way to recover the original input from the hash. Confusing hashing with encryption is a serious and common mistake.
2. SHA-1: Officially Broken
SHA-1 was once the backbone of internet security, used in SSL/TLS certificates, code signing, and version control. It produces a 160-bit (40 hex character) digest from any input.
2.1 The SHAttered Attack
In 2017, Google and CWI Amsterdam published the SHAttered attack: two different PDF files with identical SHA-1 hashes. This was the first practical, real-world SHA-1 collision — requiring roughly 6,500 CPU-years of computation, but achievable with modern cloud resources.
Following this, major browsers, certificate authorities, and Git all deprecated SHA-1. GitHub migrated to SHA-256 in 2023.
2.2 The Legacy Problem
SHA-1 persists in some non-security contexts — older Git commits, some firmware verification systems. These should be migrated to SHA-256 over time, though the urgency depends on the threat model.
3. SHA-2: The Modern Standard
SHA-2 is a family of six algorithms, named by output size:
| Name | Output | Internal State | Primary Use |
|---|---|---|---|
| SHA-224 | 224 bit | 256 bit | Truncated SHA-256; rarely used |
| SHA-256 | 256 bit | 256 bit | TLS, code signing, Bitcoin, general purpose |
| SHA-384 | 384 bit | 512 bit | Truncated SHA-512; TLS 1.2 cipher suites |
| SHA-512 | 512 bit | 512 bit | High-security use cases; faster on 64-bit |
| SHA-512/224 | 224 bit | 512 bit | 224-bit output using 64-bit operations |
| SHA-512/256 | 256 bit | 512 bit | SHA-256-level output, faster on 64-bit CPUs |
3.1 Why SHA-256 Dominates
SHA-256 is the most widely deployed SHA-2 member for good reasons:
- Sufficient security margin: 256-bit output gives 128-bit collision resistance — far beyond what's computationally feasible to attack
- Hardware acceleration: Intel SHA Extensions (Goldmont+) and ARM Cryptography Extensions provide native SHA-256 instructions
- Universal ecosystem support: Every TLS library, CA policy, code signing spec, and standard library supports it
- 32-bit friendly: SHA-256 uses 32-bit word operations, making it faster than SHA-512 on 32-bit platforms
3.2 The Merkle–Damgård Construction
SHA-2 uses the Merkle–Damgård construction: the message is padded, split into 512-bit blocks (for SHA-256), and each block is fed sequentially through a compression function. This is the same structural approach as MD5 and SHA-1, which means SHA-256 inherits one weakness: length extension attacks. An attacker who knows SHA256(secret || message) can compute SHA256(secret || message || extension) without knowing the secret. The fix: use HMAC-SHA256 instead of bare SHA-256 for keyed authentication.
4. SHA-3: A Different Architecture
SHA-3 is not an upgrade to SHA-2. It is a fundamentally different algorithm — Keccak, designed by Bertoni, Daemen, Peeters, and Van Assche — selected through an open NIST competition in 2012. NIST standardized it precisely to provide structural diversity: if SHA-2 is ever broken, SHA-3 (using completely different mathematics) would remain secure.
4.1 The Sponge Construction
SHA-3 uses a "sponge construction" with two phases:
- Absorb: message blocks are XORed into a 1600-bit internal state and permuted
- Squeeze: output bits are extracted from the internal state
Because part of the internal state is always hidden, sponge constructions are inherently immune to length extension attacks — no HMAC wrapper required.
4.2 SHA-3 Members
- SHA3-224, SHA3-256, SHA3-384, SHA3-512: Fixed-length outputs, drop-in alternatives to SHA-2 counterparts
- SHAKE128, SHAKE256: Extendable output functions (XOF) — produce any desired output length; useful for key derivation and stream encryption
4.3 Should You Switch to SHA-3?
Not necessarily. SHA-2 is still fully secure. SHA-3 makes sense when:
- You need length-extension resistance without adding HMAC overhead
- Your protocol requires variable-length output (SHAKE)
- Compliance requirements specify SHA-3
- You want defense-in-depth against a future SHA-2 break
For most applications, SHA-256 remains the pragmatic default due to its mature hardware support and ecosystem.
5. Full Comparison
| Algorithm | Output | Security | Speed (software) | Recommended For |
|---|---|---|---|---|
| SHA-1 | 160 bit | Broken (SHAttered 2017) | Fast | Do not use in new systems |
| SHA-256 | 256 bit | Secure (no known collision) | Medium (HW accelerated) | TLS, certs, code signing, general use |
| SHA-512 | 512 bit | Secure (higher margin) | Faster than SHA-256 on 64-bit | High-security or 64-bit systems |
| SHA3-256 | 256 bit | Secure (different design) | Slower (less HW accel) | Length-extension resistance, diversity |
| SHAKE256 | Variable | Secure | Slower | Variable-length output needs |
6. Choosing the Right SHA
6.1 ✅ TLS/HTTPS Certificates → SHA-256
All modern TLS certificates use SHA-256 signatures. SHA-384 is used for higher-assurance EV certificates. SHA-1 certificates are rejected by all modern browsers.
6.2 ✅ Code Signing and Software Distribution → SHA-256
Windows Authenticode, macOS code signing, and APK signing all require SHA-256. Always publish a SHA-256 checksum alongside software downloads so users can verify integrity.
6.3 ✅ File Integrity Verification → SHA-256
Verifying downloads or backup consistency: SHA-256 is the right balance of security and speed. For extremely large files on 64-bit systems, SHA-512 can be faster.
6.4 ❌ Password Storage → Never Use Any SHA
All SHA variants are too fast for password hashing. Use bcrypt, Argon2, or scrypt — algorithms designed to be slow, resisting GPU-based brute-force attacks.
6.5 ✅ Keyed Authentication (MAC) → HMAC-SHA256
When you need a keyed hash (API signatures, webhook verification, JWT HS256), use HMAC-SHA256. It wraps SHA-256 in a structure that prevents length extension attacks and requires knowledge of the secret key.
7. Computing SHA Hashes
# Command line (Linux/macOS)
sha256sum file.txt # Linux
shasum -a 256 file.txt # macOS
sha512sum file.txt # SHA-512
# PHP
hash('sha256', 'hello') // 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824
hash('sha512', 'hello')
# Python
import hashlib
hashlib.sha256(b'hello').hexdigest()
hashlib.sha3_256(b'hello').hexdigest() # SHA-3
# JavaScript (Node.js)
const crypto = require('crypto')
crypto.createHash('sha256').update('hello').digest('hex')
crypto.createHash('sha3-256').update('hello').digest('hex')
8. Common Questions
8.1 Is SHA-512 more secure than SHA-256?
Theoretically yes, but the difference is irrelevant in practice. SHA-256's 128-bit collision resistance is already far beyond what's computationally feasible to attack. The main reason to choose SHA-512 is performance on 64-bit platforms — not security.
8.2 Will SHA-3 replace SHA-2?
Not in the near future. SHA-2 has no known cryptographic weakness. SHA-3's value is providing structural diversity — if SHA-2 is ever broken, a SHA-3-based system would remain intact. NIST recommends both coexist rather than one replacing the other.
8.3 Why does Git still use SHA-1?
Git's object model is deeply coupled to 40-character SHA-1 hashes as a historical design choice. While the SHAttered attack is real, Git has added collision detection as a mitigation. Full migration to SHA-256 (git's object-format=sha256) is in progress but requires ecosystem-wide coordination. The risk for most Git workflows remains low.
8.4 What is HMAC-SHA256, and when do I need it?
SHA-256 is a pure hash function — anyone can compute it. HMAC-SHA256 is a keyed message authentication code — only someone with the secret key can produce or verify it. Use it for API request signing, JWT HS256 tokens, and webhook payload verification. It also eliminates the length extension attack vulnerability of bare SHA-256.
9. Summary
The SHA family's evolution from SHA-1 to SHA-3 tracks the progress of cryptographic research. SHA-1 is broken and should be retired. SHA-256 is the default choice for virtually every modern security context, backed by hardware acceleration and universal support. SHA-512 earns its place on 64-bit systems or where extra security margin is warranted. SHA-3 offers a structurally independent alternative — valuable for defense-in-depth or specific protocol requirements. Knowing which to reach for, and why, is essential engineering judgment.