3

Of course 'often' is pretty subjective, but I've seen a lot of reports/articles that describe SHA1 as something, typically, not secure enough for use in the storage of passwords. An example:

If it’s just SHA1, there is no window… If it’s bcrypt, you have time to run away and change all your passwords.

The only time I've seen a successful SHA1 'hack' is when the password is trivial to run through a dictionary (e.g. password123).

What's unsecure about SHA1?

Anders
  • 65,052
  • 24
  • 180
  • 218
  • 6
    It's very fast to compute - this means that a dictionary attack (even with salted passwords) can be very quickly carried out. In contrast, a hash method like bcrypt takes a lot longer, so a dictionary attack takes longer. Unfortunately, most users do pick weak passwords which will appear in dictionaries, so this is a viable attack method. – Matthew Oct 19 '16 at 08:58
  • 1
    Computation speed distinguishes General Purpose (Fast) Cryptographic Hash (SHA-1 and SHA-2 alike) from (Slow) Password Hash. (BCrypt, SCrypt, PBKDF2, Argon2, etc.) Separately from that, there are reasons to use SHA-2 over SHA-1 and computation speed is not a significant to that comparison. – 700 Software Oct 19 '16 at 17:23

3 Answers3

7

I agree with @KanekiDev and would like to highlight that #1 holds even now, let alone in the near future.

According to ArsTechnica, a single person using equipment worth less than 30,000 dollars managed to recover 85% of the passwords leaked in the Linkedin breach in a day. We are talking about millions of SHA-1 hashed passwords found in a single day.

Using a single Sagitta HPC Brutalis packed with eight Nvidia GTX Titan X graphics cards, I managed to recover 85 percent of the passwords on the first day, despite the fact that I was cracking so many passwords so quickly that the whole system slowed to a crawl.

Working with the rest of the Hashcat development team, we managed to reach 88 percent by the end of the third day, and we crossed the 90-percent threshold on the fourth day. This all happened a full two days faster than when working with the first LinkedIn dump, which contained only a small fraction of the number of hashes. On the sixth day, we teamed up with rival password cracking team CynoSure Prime to close out the effort at a solid 98 percent, cracking a total of 173.7 million passwords.

Source

If you think that only researchers can afford that hardware, you're wrong. Think about a team of crackers spending 30,000 dollars on that setup just for finding these passwords. In a week, they find 100 million passwords, which they can sell for $0.01 each. 100 million passwords * $0.01/password= 1 million dollars. That's a pretty good ROI (return on investment), isn't it?

You may say that those were weak passwords. That's probably true, but as @Matthew pointed out,

Unfortunately, most users do pick weak passwords which will appear in dictionaries, so this is a viable attack method.

A. Darwin
  • 3,592
  • 2
  • 16
  • 27
  • The passwords themselves don't have much value, but in combination with the user information from a site such as Linkedin, they can allow for a lot of attacks - people often use the same passwords on multiple sites, so an attacker can take over a more valuable account belonging to the same user (e.g. shopping accounts, banking...) – Matthew Oct 19 '16 at 09:55
  • @Matthew of course, but there are attackers who simply sell passwords on the market, which are bought by other people who do what you're talking about (checking the password list for reuse in other websites,...). Think about it as some kind of "cracking-as-a-service". There are groups that do both, but that may take a bit of time if they don't restrict themselves to Gmail-Facebook-Twitter. As such, I wanted to show the ROI for attackers who simply crack passwords, which exist. – A. Darwin Oct 19 '16 at 10:31
4

I think that the vulnerabilities of SHA-1 are not in any way relevant here, what's relevant is that it is a simple, fast, embarrassingly parallelizable operation.

The vulnerabilities on SHA-1 are collision attacks, which is painful with signatures, but meaningless for passwords. Preimage attacks would be truly scary in the context of password hashing, but none exist to my knowledge.

Now, why is it a problem that SHA-1 is a simple, fast, embarrassingly parallelizable operation? The article you linked to explains it: There is no window.

What does that mean, which window? The consequence of the hash being fast is that virtually all user passwords (of which even most "better" ones are still somewhat low entropy) are crackable in a matter of seconds. Entire databases with tens of thousands of passwords are crackable within a day, and you do not even need to be the NSA to achieve that.

In practice, this means that every security breach is always the greatest imaginable desaster, whereas if you had only used something like bcrypt which is a deliberately slow operation, you would have had a couple of days (or weeks) to inform your users, and have them change their passwords. This turns "total desaster" into "embarrassing, but tolerable". See How to securely hash passwords? for a more in-depth of what makes a suitable password hash (as opposed to a “normal” cryptographic hash).

Some users with particularly stupid passwords ("password", "fuckyou", "letmein") will of course still have their accounts compromised because even with bcrypt you can crack all the 100 most-stupid-passwords in like.... a couple of seconds. If you have, for example, 10,000 individually salted user passwords then testing for the 100 most-stupid-passwords takes one million iterations only. Even with a slow algorithm, that's a matter of seconds.

But the important difference is, the other passwords which are not on the top-100 list will not be compromised that easily. Those users have a fair chance of changing their password in time.

Gilles 'SO- stop being evil'
  • 51,415
  • 13
  • 121
  • 180
Damon
  • 5,211
  • 1
  • 20
  • 26
1

SHA-1 is pretty insecure due to:

  • As modern computation evolves, it will be easier in a "near-future" to brute-force the algorithm. Even more if you count with new ASICS designed for SHA Hashes computing (oftenly used in cryptocurrencies mining as Bitcoin). Some of those ASICS can compute more than 10^12 Hashes per second (some even 10^15).
  • But also, that in 2005 a weakness was found that would make easier to break the algorithm, not by brute-forcing but by trying to find hash-collisions (a hash collision occurs when two different inputs produce the same output).

You can check this: https://en.wikipedia.org/wiki/SHA-1#Attacks to find about the weakness i told you.

And this, a very interesting article (written in 2012) about the SHA-1: http://arstechnica.com/security/2012/10/sha1-crypto-algorithm-could-fall-by-2018/

That's why i would not recommend using SHA-1 any longer, as even if we could consider it pretty secure (depending on which purpose), it will be deprecated shortly (well it's already being deprecated).

Hope this will help.

NH.
  • 1,014
  • 1
  • 9
  • 20
KanekiDev
  • 1,039
  • 6
  • 9