The first SHA1 collision have just been announced in a blog post by a team from google and CWI Amsterdam. In cryptography, SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function designed by the United States National Security Agency and is a U.S. Federal Information Processing Standard published by the United States NIST. SHA-1 produces a 160-bit (20-byte) hash value known as a message digest.

SHA1 is longer considered as a secure since 2005, however it remain widely used in browser security, for managing code repositories, or even just detecting duplicate files in storage.

A website has been created for this discovery with a paper, an infographic, in addition to two PDFs that have identical SHA-1 hashes but different content. Shattered !

This practical attack against SHA-1 should finally convince the industry that it is urgent to move to safer alternatives such as SHA-256.


In PHP, Sha1 function is supported since PHP4 until PHP7. A note have been written on the PHP documentation comments seven years ago suggesting to avoid using MD5 and SHA1 for risk of collision. So if you are still somewhere using SHA1, make sure to switch your code to SHA256 or a better hashing algorithms.

More information at