Tech blog and developer tools
SHA (Secure Hash Algorithm) is a family of cryptographic hash functions published by NIST (National Institute of Standards and Technology). SHA-1 was designed by the NSA and published in 1995. When weaknesses were found in SHA-1, NIST released the SHA-2 family (SHA-256, SHA-384, SHA-512) in 2001, which remains the backbone of internet security today.
A hash function takes any input and produces a fixed-size output (called a digest). Even changing a single character completely changes the output, a property called the avalanche effect. Hashing is a one-way operation: you cannot reverse a hash to recover the original input. This makes it perfect for verifying data integrity without exposing the original data.
Fun fact: in 2017, Google and CWI Amsterdam produced the first SHA-1 collision, where two different PDF files produced the same SHA-1 hash. The attack, called "SHAttered", required 9,223,372,036,854,775,808 SHA-1 computations and the equivalent of 6,500 years of single-CPU computation. This effectively ended SHA-1's use in security applications.
Git identifies every commit, tree, and blob using SHA-1 hashes (and is transitioning to SHA-256). That 40-character commit hash like "a1b2c3d..." is literally a SHA-1 digest of the commit contents. This is how Git detects any tampering with repository history.
Bitcoin mining is essentially a race to find a SHA-256 hash that starts with a certain number of zeros. Miners compute trillions of SHA-256 hashes per second. The Bitcoin network currently performs over 500 exahashes per second.
When you download software, the website often shows a SHA-256 checksum. By hashing the downloaded file and comparing the digests, you can verify the file was not corrupted or tampered with during transfer. Linux distributions rely heavily on this.
HMAC (Hash-based Message Authentication Code) combines SHA with a secret key to create authenticated digests. Webhooks from Stripe, GitHub, and Slack use HMAC-SHA256 to let you verify that incoming requests genuinely came from their servers.