A surprising amount of people believe that SHA-1 is broken and therefore should not be used in password hashing. “It was on the news!”, “it’s as bad as MD5”, they say. While indeed it’s a bad choice for hashing passwords, the reason has nothing to do with SHAttered attack of 2017.
SHAttered has shown a practical possibility of a collision attack, which finds messages x and y such as
SHA1(x) = SHA1(y),
while cracking a hashed password is a preimage attack, which requires an efficient way for a given hash h to find an input z so that
SHA1(z) = h.
While collision resistance is crucial for authenticity checks (such as the validity of SSL certificates), password hashing needs only pre-image resistance.
Furthermore, the vulnerability to collision attacks absolutely does not imply the vulnerability to pre-image attacks.
In fact, in “Lessons From The History Of Attacks On Secure Hash Functions” it is shown that the overwhelming majority of proposed hash functions are safe against pre-image attacks. For SHA-1, the successful attempts involve weakened versions of the hash function, e.g. in “New Preimage Attacks Against Reduced SHA-1” authors show how one can better the brute-force up to 57 hashing rounds instead of normal 80, but not further. “Higher-Order Differential Meet-in-the-middle Preimage Attacks on SHA-1 and BLAKE” claims to lift the bar to 62 rounds, which is still far from the unencumbered SHA-1.
So then, is SHA-1 suitable for hashing passwords? Absolutely not! Even as we don’t know of a way to find an element from the pre-image more efficiently than using a brute-force, on modern hardware, brute-forcing SHA-1 is fast enough. That’s the real reason why nobody should use a naive SHA-1 application as a hashing method.
The iterated schemes such as PBKDF2 are a different matter. The use of a large number of iterations ensures that brute-forcing becomes reasonable difficult, and the lack of pre-image attacks on the hash function ensures that brute-force is the only way to go. Therefore, using SHA-1 for passwords in PBKDF2 is out of danger for now – perhaps it would be more future-proof to use a different hash in new developments, but there shouldn’t be a rush to change it in the existing systems.