SHA-1 Hash

SHA-1 Hash

Updated May 7, 2026

SHA-1 hash generator online. Create 160-bit SHA1 hashes—still used for git commits and file verification. Free SHA1 calculator.

0 chars
Legacy algorithm: SHA-1 is deprecated for security. Use SHA-256 for new projects.

About SHA-1

  • Output: 160-bit (40 hex characters)
  • Security: Collision attacks demonstrated (SHAttered, 2017)
  • Still used in: Git commit hashes, legacy certificate validation
  • Recommendation: Migrate to SHA-256 for security-sensitive use

Features

  • 160-bit hash generation (40 hex characters)
  • Compatible with Git object IDs and commit hashes
  • Legacy system support and backward compatibility
  • Extremely fast computation
  • Client-side file and text hashing

Common Use Cases

  • Interacting with Git version control systems (commit IDs, blob hashing)
  • Verifying legacy checksums from older software archives
  • Generating non-cryptographic unique identifiers for database records
  • Checking files against older threat-intelligence blocklists

SHA-1 (Secure Hash Algorithm 1)

SHA-1 produces a 160-bit (20-byte) hash value, represented as a 40-character hexadecimal number.

For decades, SHA-1 was the cornerstone of internet security, used in SSL certificates and PGP signatures. However, in 2017, a joint team from Google and CWI Amsterdam executed the first successful collision attack (the SHAttered attack), proving they could create two different PDF files with the exact same SHA-1 hash.

Today, SHA-1 is cryptographically broken and deprecated by NIST. Modern browsers will reject SSL certificates signed with SHA-1. It should never be used for digital signatures or security. It remains relevant primarily due to its deep integration into the Git version control system.

Examples

Valid - Standard SHA-1 Output
Input: "git"
SHA-1: 46f1a0bd5592a2f9244ca6afeb651b2694a73e67

Frequently Asked Questions

If SHA-1 is broken, why does Git still use it?

Git was designed around SHA-1 for content addressing (identifying file contents quickly), not primarily for cryptography. Migrating a massive, decentralized ecosystem like Git is exceptionally difficult. While a collision attack could theoretically be used to sneak malicious code into a repository, Git implements mitigation strategies to detect known collision techniques. Furthermore, newer versions of Git are slowly rolling out support for SHA-256 object formats.

Can I use SHA-1 for a hash map or cache key?

Yes. If security against malicious attackers is not a requirement, SHA-1 is perfectly fine for generating unique identifiers, cache keys, or deduplication tokens. It is faster than SHA-256 and provides a much lower chance of accidental collisions than MD5.

💡 Tips

  • When working with Git internals, remember that Git prepends a header (`blob <length>\0`) to the file contents before calculating the SHA-1 hash. Hashing a raw file with standard SHA-1 will not match the Git blob ID.
  • If you encounter a 40-character hex string in a log file, it is almost certainly a SHA-1 hash.

Common Mistakes

Using SHA-1 to sign JWT (JSON Web Tokens) or API webhooks. Always use SHA-256 or higher for signatures.
Assuming SHA-1 is safe just because it is used by Git.