I read a ZD-Net article today that states attacks on the SHA-1 hashing algorithm are “now actually practical and a looming danger”. Here’s the link to the article: LINK.
My admittedly limited understanding is Codebook does use SHA-1 as a part of it’s security. How does news like this affect Codebook? Are there any plans to remove SHA-1 and update to a more modern standard? Are there additional measures in place to make sure this isn’t an issue?
I know I’m just a user with very limited understanding of how encryption works. The reason I moved to Codebook (Strip when I first purchased it) is it was known as one of the, if not the, most secure P/W managers. Just trying to make sure it still is. Thanks in advance…
Hi @RobtRoma
Thanks for your support of Codebook and for posting to the discussion forum.
Codebook currently uses HMAC-SHA1. While SHA1 has long been considered insecure, HMAC-SHA1 is actually still considered a secure construct. In the article you referenced, you will see a mention of this in the quoted tweet from Scott Arciszewski, i.e. “It’s time to stop using SHA1. (HMAC-SHA1 is still okay.)”. So right now there is no reason to be concered about Codebook’s security, even given the potential for chosen-prefix collision attacks against SHA1. That said, we are actively moving away from even using HMAC-SHA1 and the next version of Codebook (Codebook 4) will include SQLCipher 4, and use SHA512 by default. There are some further details about the security improvements of SQLCipher 4 here: https://www.zetetic.net/blog/2018/11/30/sqlcipher-400-release/
We plan on starting preliminary beta testing relatively soon. There’s a short beta signup form located here: https://www.zetetic.net/codebook/beta-signup/
Let me know if this addresses your questions.
Hi mmore,
I believe that does answer my questions. Thank you for taking the time to reply 
1 Like