Hashing Explained: MD5 vs SHA-256, and Why It Matters
What cryptographic hashing actually does, why MD5 is broken, when SHA-256 is the right choice, and why none of them should store your passwords.
Hashes show up everywhere — file downloads, Git commits, password systems, blockchains — yet "hashing" is one of the most misunderstood ideas in computing. Here's what it actually does, which algorithm to use, and the mistake that still causes data breaches.
What a hash function does
A hash function takes any input — a word, a file, a 4 GB video — and produces a fixed-size fingerprint. SHA-256, for example, always outputs 256 bits (64 hex characters):
- "hello" →
2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824 - "Hello" →
185f8db32271fe25f561a6fc938b2e264306ec304eda518007d1764826381969
One capital letter, completely different fingerprint. Three properties make this useful:
- Deterministic — same input always gives the same hash
- One-way — you can't reverse a hash back into the input
- Collision-resistant — you can't find two inputs with the same hash (this is the property that breaks first)
Try it yourself in the Hash Generator — type a message and change one character.
Hashing is not encryption
Encryption is reversible with the right key; hashing has no key and no way back. You encrypt things you need to read later; you hash things you only need to verify later. (And Base64 is neither — it's plain encoding anyone can undo.)
Why MD5 and SHA-1 are broken
MD5 (1992) and SHA-1 (1995) both fail collision resistance. Researchers demonstrated real MD5 collisions in 2004 — attackers can now craft two different files with the same MD5 hash in seconds on a laptop. For SHA-1, Google demonstrated the same in 2017 with two different PDFs.
Why that matters: if someone can create a malicious file with the same hash as a legitimate one, hash verification becomes worthless — you'd verify the fingerprint and still install malware.
Are they useless? For security, yes. As fast checksums for accidental corruption or deduplication where no attacker exists, MD5 still appears — but there's no reason to choose it for anything new.
What to use instead
SHA-256 is the current standard: file integrity checks, digital signatures, certificate chains, Git's newer object format, Bitcoin. SHA-512 is equally secure with a longer output and is often faster on 64-bit servers. Either is a sound default.
A practical use you can do today: when you download software, the vendor often publishes a SHA-256 checksum. Hash your downloaded file and compare — if even one character differs, the file was corrupted or tampered with in transit.
The password mistake
Here's the counterintuitive part: SHA-256 is the wrong tool for storing passwords — precisely because it's fast. A GPU can compute billions of SHA-256 hashes per second, which means an attacker who steals your database can guess billions of passwords per second against it.
Password storage needs deliberately slow, salted algorithms: bcrypt, scrypt, or Argon2. They're designed so each guess costs real time, turning a weekend crack into centuries. If you're building anything with logins, this single choice matters more than almost any other security decision.
For verifying message authenticity between two parties who share a secret, the right construction is an HMAC — a keyed hash. Our HMAC Generator demonstrates how the same message produces different signatures under different keys.
Quick reference
- Checking downloads / file integrity → SHA-256
- Signatures, certificates → SHA-256/384
- Storing passwords → bcrypt / Argon2 (never a plain hash)
- API request signing → HMAC-SHA256
- Anything security-related → never MD5 or SHA-1
Experiment with all of these in the Hash Generator — input never leaves your browser.