What is Hashing? MD5 vs SHA-256 Explained for Developers
Hashing is the process of converting any input data into a fixed-length string of characters using a mathematical function. The output, called a hash or digest, always has the same length regardless of whether you hash a single word or an entire book. Hashing is a one-way operation, meaning you cannot reverse a hash back to the original data.
How Hash Functions Work
A hash function takes an input (often called a message) and produces a fixed-size output. Good hash functions have three key properties: they are deterministic (same input always produces the same output), they produce vastly different outputs for similar inputs (the avalanche effect), and they are computationally infeasible to reverse.
For example, hashing hello with SHA-256 produces 2cf24dba..., but hashing hello! produces a completely different hash. Changing a single character transforms the entire output.
MD5: Fast but Broken
MD5 produces a 128-bit (32-character hex) hash and was designed in 1991 by Ronald Rivest. It is extremely fast, which made it popular for checksums and file integrity verification. However, MD5 has known collision vulnerabilities, meaning two different inputs can produce the same hash. This makes MD5 unsuitable for security purposes like password storage or digital signatures. It is still acceptable for non-security use cases like cache keys or deduplication checks.
SHA-1: Deprecated for Security
SHA-1 produces a 160-bit (40-character hex) hash. It was the standard for SSL certificates and Git commits for years. In 2017, Google demonstrated a practical collision attack (SHAttered), proving SHA-1 is no longer collision-resistant. Major browsers and certificate authorities have since deprecated SHA-1. Git still uses SHA-1 for commit hashes but is migrating to SHA-256.
SHA-256: The Current Standard
SHA-256 is part of the SHA-2 family and produces a 256-bit (64-character hex) hash. It is currently the most widely used secure hash algorithm. Bitcoin uses SHA-256 for mining, TLS certificates rely on it, and it is the recommended choice for most applications that need cryptographic hashing. No practical collision attacks exist against SHA-256.
SHA-512: Maximum Security
SHA-512 produces a 512-bit (128-character hex) hash. It offers a larger security margin than SHA-256 and can actually be faster on 64-bit processors. SHA-512 is commonly used in high-security environments, digital signatures, and when you need the extra bits for collision resistance.
Comparison Table
| Algorithm | Output Size | Secure? | Best For |
|---|---|---|---|
| MD5 | 128 bits | No | Checksums, cache keys |
| SHA-1 | 160 bits | No | Legacy systems only |
| SHA-256 | 256 bits | Yes | General purpose, passwords |
| SHA-512 | 512 bits | Yes | High-security applications |
Common Use Cases
- Password storage. Never store passwords in plain text. Hash them with a slow algorithm like bcrypt or Argon2 (which use SHA-256 internally) with a unique salt per user.
- File integrity. Download pages often show SHA-256 checksums. Hash the downloaded file and compare to verify nothing was corrupted or tampered with.
- Data deduplication. Hash file contents to quickly find duplicates without comparing every byte.
- Digital signatures. Hash the message first, then sign the hash. This is faster than signing the entire message.
- Blockchain. Bitcoin and other blockchains use SHA-256 to link blocks together and validate transactions.
Hashing vs Encryption
Hashing and encryption are often confused, but they serve different purposes. Encryption is a two-way operation: you encrypt data with a key and decrypt it with the same (or a related) key. Hashing is one-way: there is no key, and you cannot recover the original data from the hash. Use encryption when you need to retrieve the original data later. Use hashing when you only need to verify data without storing it.
Generate hashes now
Instantly generate MD5, SHA-1, SHA-256 and SHA-512 hashes for any text input.
Open Hash Generator