double sha256


double sha256.

var sha256d = require('sha256d')
var hash = sha256d().update('hello', 'ascii').digest('hex')

sha1 is no longer considered secure, and should not be used in new cryptosystems. recent attacks have been developed which weaken sha1 significantly, from 2^80 to 2^69 attempts to find a collision.

Schiener estimates that by 2021 it could cost as little at 41k usd to generate a sha1 collision.

Also, Merkle–Damgård constructions, such as the sha1 and sha2 family of algorithms also are succeptable to a length-extension attack. this means that if you know x = sha(y) you can calculate x2 = sha(y + z) without knowing y.

This may or may not be a problem in your system, but there is no harm in being belt and suspenders safe.