# HL101

MD5, SHA-1, RIPEMD-160, Whirlpool and the SHA-256 / SHA-512 hash algorithms all vulnerable to length-extension attacks and should not be used for obfuscating or protecting data without HMAC.

## Examples

The following examples would raise a warning:

```python
import hashlib
hashlib.new('sha256')
```

```python
import hashlib
hashlib.whirlpool()
```

## Fix

Use another hashing algorithm, e.g. blake2

## See Also

* [About Length Extension Attacks](https://blog.skullsecurity.org/2012/everything-you-need-to-know-about-hash-length-extension-attacks)