The SHA Family
SHA-1 (broken), SHA-2, SHA-3.
The SHA Family
"SHA" stands for Secure Hash Algorithm. It's actually three generations of algorithms, not one.
Analogy
Think of three generations of family locksmiths trading under the same shop sign. The grandfather's locks (SHA-1) were state-of-the-art in their day but thieves have long since figured out how to pick them; the father's locks (SHA-2) are the workhorse on every modern door; and the son went off to a completely different trade school and came back with a different design (SHA-3, from the Keccak competition) so that if the father's locks ever fall, the shop still has product to sell. They share a name and a front window, but under the hood they are three independent mechanisms — and the grandfather's locks should have been scrapped years ago.
SHA-0 and SHA-1 — broken
SHA-0 (1993) was withdrawn almost immediately. SHA-1 (1995) survived until 2017, when Google and CWI Amsterdam produced SHAttered — two distinct PDFs with the same SHA-1 hash. Since then SHA-1 has been considered unsafe for any signature or integrity use.
Git used SHA-1 for 20 years; it's moving to SHA-256.
SHA-2 — the current workhorse
SHA-2 is a family with four common digest sizes:
| Variant | Digest | Used for |
|---|---|---|
| SHA-224 | 224-bit | Rare |
| SHA-256 | 256-bit | Default almost everywhere |
| SHA-384 | 384-bit | TLS suites wanting >128-bit security |
| SHA-512 | 512-bit | Often faster than SHA-256 on 64-bit CPUs |
All four use the Merkle–Damgård construction: pad the message, split into fixed-size blocks, and iterate a compression function chained through a running state. That's what the visualizer to the right is showing.
SHA-3 — a different design entirely
SHA-3 is not a patch to SHA-2. In 2007, worried that SHA-2 might fall the way SHA-1 did, NIST held an open competition. Keccak (Bertoni, Daemen, Peeters, Van Assche — three of them co-designed Rijndael/AES) won in 2012 and was standardised as SHA-3 in 2015.
SHA-3 uses a sponge construction — absorb input into a state, then squeeze output out. No length-extension weakness, no Merkle–Damgård chain. Completely different internals with similar security guarantees.
Browsers don't ship SHA-3 via crypto.subtle. Node does via crypto.createHash("sha3-256").
Length extension — an MD / SHA-2 quirk
Given H(secret || message) and the length of secret, an attacker can compute H(secret || message || padding || extension) without knowing the secret. This is length-extension.
It's a problem when someone uses a raw hash as a MAC. Don't — use HMAC (next level). SHA-3 doesn't have this property.
Output-size rule of thumb
Because of the birthday paradox, an N-bit digest gives N/2 bits of collision resistance. So:
- Need 128-bit security? → SHA-256 minimum.
- Need 192-bit security? → SHA-384.
- Need 256-bit security? → SHA-512.
What to use in new code
- Integrity / checksums / content addressing: SHA-256 or BLAKE3 (much faster, same security class).
- Password hashing: not raw SHA — use Argon2id or scrypt.
- MAC: HMAC-SHA256 (next level).
- Signatures: sign SHA-256 of the data, not the data directly.
SHA-256 is almost always the right answer. Only reach for SHA-3 when a spec or policy demands it.