SHAttered: Google Breaks SHA-1 Encryption

Ben by

After nearly 2 years of hard work, perseverance and a little bit of elbow grease, Google engineers have finally managed to break SHA-1 encryption.

For the first time, a team of engineers have managed to develop a repeatable real-world collision attack that can be used to break the encryption method.

While theoretical attacks on SHA-1 have been around for quite some time, nobody has ever been able to demonstrate one in the real world.

That is, until now.

What is SHA-1?

SHA-1 is an encryption method that is widely used across the internet.

It protects everything from your passwords and credit card information to browsing data and files.

When someone creates a password on a website, a unique string or Hash is generated from the password and stored on a server.

When that person re-enter their password, it’s hashed again and compared with the hash on the server.

If the two match, you’re logged in. If they don’t, you’ve entered the wrong password.

This method of storing passwords means that the website never knows your actual password, only the hash of the password.

One of the big benefits of this is that if the website gets hacked, your encrypted password should still be safe.

Why did Google Break it?

OK, so if SHA-1 was so useful why did Google break it?

To put it bluntly, SHA-1 is insecure and using it is generally considered a bad idea.

SHA-1 has been known to be vulnerable to theoretical attacks for well over 10 years now.

Back in 2014 the Chrome team announced they were going to be dropping support for SHA-1.

Since then, many people from across the tech industry have called for developers and webmaster to stop using it as soon as possible.

Yet despite all of that, there’s plenty of websites out there still using it (shame on you!).


If you’re someone who’s still using SHA-1, then take this as a warning and get switched over to more secure alternatives like SHA-256 and SHA-3 as soon as possible.


shattered sha-1 infographic

You may also like