More on Newly Broken SHA-1

AnonymousStudent writes "Details are out about the reported broken SHA-1 hash function. The findings are that SHA-1 is not collision free and can be broken in 2^69 attempts instead of 2^80. This is about 2000 times faster. With todays computing power and Moores Law, a SHA-1 hash does not last too long. Using a modified DES Cracker, for the small sum of up to $38M, SHA-1 can be broken in 56 hours, with current computing power. In 18 months, the cost should go down by half. Jon Callas, PGP's CTO, put it best: 'It's time to walk, but not run, to the fire exits. You don't see smoke, but the fire alarms have gone off.' As Schneier suggests, 'It's time for us all to migrate away from SHA-1.' Alternatives include SHA-256 and SHA-512."

Re:2000 times faster?

[mboverload]

I was KIDDING! Kidding!

Jesus people, I passed 8th grade....or did I? =)

remember enigma..

[dirtyforker]

Encrypting something is many orders of magnitude less complex than breaking the encryption. Moore's Law means that more complex encoding becomes practical at an exponentially faster rate than the ability to break it. Today's encryption is far more secure than anything in the past inspite of all these advances in code-breaking. Of course this doesn't stop people from using old methods which were once secure but now are not...

Thinking ahead (out loud)..

[bAdministrator]

..a (new) system that handled user authentication (and obviously registration) would also store information about which hash code algorithm was used at the time the user registered.

SystemHashCoding = 1 = MD5
SystemHashCoding = 2 = SHA0
SystemHashCoding = 3 = SHA1
SystemHashCoding = n = x

UserHashCoding = 3

The UserHashCodingData field would be extended to accomodate longer values in the future.

The update would be applied when an existing user with a different hash coding changed her or his password.