I use Aegis as my 2fa. Today on new token creation I observed that there’s hash function set to SHA-1, later checked all my tokens and the result is same type of encryption used for all. So I have edited all my tokens to SHA-256 as a result my totp doesn’t authenticate. Do I have to rescan my tokens for updating to SHA-256 or it doesn’t work like that?

Security: SHA-1 < SHA-256 < SHA-512

Speed: SHA-1 > SHA-256 > SHA-512

My doubts are: Why can’t we use SHA-256? Is it because TOTP requires less time so faster one(SHA-1) is chosen? Can we use SHA-256 for TOTPs?

  • BentiGorlich@gehirneimer.de
    link
    fedilink
    arrow-up
    4
    ·
    6 months ago

    You should be using bcrypt or something similiarly designed to hash passwords, since they are much safer than sha256/512. Sha is not designed for hashing passwords and therefore a fast algorithm which you shouldn’t use for passwords