Cryptographic hash algorithms such as
DSA (which uses
SHA-1 are no longer considered secure, because it is possible to have
computational effort is enough to find two or more different inputs that produce the same hash).
Ask Yourself Whether
The hashed value is used in a security context like:
- User-password storage.
- Security token generation (used to confirm e-mail when registering on a website, reset password, etc …).
- To compute some message integrity.
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
Safer alternatives, such as
SHA-3 are recommended, and for password hashing, it’s even
better to use algorithms that do not compute too "quickly", like
because it slows down
brute force attacks.
Sensitive Code Example
MessageDigest md1 = MessageDigest.getInstance("SHA"); // Sensitive: SHA is not a standard name, for most security providers it's an alias of SHA-1
MessageDigest md2 = MessageDigest.getInstance("SHA1"); // Sensitive
MessageDigest md1 = MessageDigest.getInstance("SHA-512"); // Compliant