SHA-1 is a hashing function similar to that of MD5 or the MD4 algorithms. The resulting hash is a 160 bit value. It is typically represented as a 40 character string (a 20-byte hash value).

Below is an example hash, this is what a SHA-1 hash of the string password looks like. Identification of these hash types is a matter of picking the length and then starting with the most common forms of these hashes.


Go ahead and test our password recovery of a SHA-1 hash using a password dictionary and brute force matching of the resulting hash.

Background on SHA-1 Hashes

After being developed in 1993, by 2005 the US Government began recommending the use of SHA-2 based hashes as weakness in the SHA-1 function rendered the algorithm no longer secure. Due to the computing requirements for stronger algorithms this was not immediately adopted and SHA-1 hashes can still be found being used in many applications.

Google, Microsoft and Mozilla have indicated that they will no longer support SHA-1 based SSL certificates from 2017.

SHA-2 is a family of hashes including the popular SHA-256 and SHA-512 functions. These are generated using a similar technique however they are stronger mathematically, making brute force attacks against them more difficult.

Cracking SHA-1 Hashes

Attacking (often referred to as cracking) SHA-1 hashes is most often performed using the same technique as any one-way hashing function. Computing possible matches of the original string as fast as possible to find a matching hash.

See the following chart to get an idea of the weakness in standard hashing algorithms for password storage. These show brute force attempts against a single hash. cudaHashcat is running on an NVIDIA 560 GTX GPU that is a few years old now, so consider these on the low end of what is capable.

Note the difference between hashcat and cudaHashcat against the same SHA-1 hash. You are reading that correctly MD5 hashes being brute forced at 1.8 billion per second.