MD5 vs SHA-256 vs SHA-512: A Developer's Guide to Cryptographic Hashing
Understand the differences between hashing algorithms, when to use each one, and why MD5 is considered broken for security purposes.
What Is Cryptographic Hashing?
A cryptographic hash function takes an input of any size and produces a fixed-size output (called a digest or hash) with several critical properties that make it foundational to computer security. Whether you are verifying file downloads, storing passwords, or building blockchain systems, understanding hash functions is essential knowledge for every developer.
The Four Properties of a Secure Hash Function
1. Deterministic: The same input always produces the same output. Hashing "hello" with SHA-256 will always produce 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824 — on any computer, in any programming language, at any time.
2. Pre-image resistant (one-way): Given a hash output, it is computationally infeasible to determine the original input. You cannot "reverse" a hash to recover the original data. This is fundamentally different from encryption, which is designed to be reversible with the correct key.
3. Collision resistant: It is computationally infeasible to find two different inputs that produce the same hash output. This property is critical for digital signatures and data integrity verification.
4. Avalanche effect: A tiny change in the input produces a completely different hash. Changing a single bit in the input should flip approximately 50% of the output bits:
SHA-256("hello") → 2cf24dba5fb0a30e...
SHA-256("hellp") → 4639223f3e5c4ad6... (completely different)Algorithm Comparison
| Property | MD5 | SHA-1 | SHA-256 | SHA-512 |
|---|---|---|---|---|
| Output size | 128 bits (32 hex chars) | 160 bits (40 hex chars) | 256 bits (64 hex chars) | 512 bits (128 hex chars) |
| Speed | Very fast | Fast | Moderate | Moderate (faster on 64-bit) |
| Collision resistance | ❌ Broken | ❌ Broken | ✅ Secure | ✅ Secure |
| Year introduced | 1992 | 1995 | 2001 | 2001 |
| NIST status | Deprecated | Deprecated | Recommended | Recommended |
MD5: Fast but Broken
MD5 was designed by Ronald Rivest in 1992 and quickly became the most widely used hash function. It produces a 128-bit (32 character hex) digest and was used for everything from password storage to file integrity verification.
Why MD5 is broken: In 2004, researchers demonstrated the first practical collision attack — they found two different inputs that produce the same MD5 hash. By 2012, the Flame malware exploited MD5 collisions to forge Windows Update certificates, allowing attackers to impersonate Microsoft's update servers.
When MD5 is still acceptable:
- Non-security checksums (verifying data transfer integrity where adversarial tampering is not a concern)
- Cache keys and data deduplication
- Content-based addressing in storage systems (like Git, which uses SHA-1 but with collision detection)
When MD5 is NOT acceptable:
- Password hashing
- Digital signatures
- Certificate verification
- Any scenario where an attacker could craft a collision
SHA-1: Also Deprecated
SHA-1 was developed by the NSA and published by NIST in 1995. It produces a 160-bit hash and was the standard for SSL/TLS certificates, Git commit hashes, and many security protocols.
In 2017, Google's Project Zero team demonstrated the first practical SHA-1 collision (the "SHAttered" attack), producing two different PDF files with the same SHA-1 hash. Since then:
- All major browsers have stopped trusting SHA-1 certificates
- Git has added collision detection mechanisms
- NIST recommends against using SHA-1 for any new applications
SHA-256: The Current Standard
SHA-256 is part of the SHA-2 family, designed by the NSA and published by NIST in 2001. It produces a 256-bit hash and is currently the industry standard for security-critical applications:
- Bitcoin and blockchain: SHA-256 is the foundation of Bitcoin's proof-of-work mining algorithm
- TLS/SSL certificates: Modern certificates use SHA-256 for signing
- Code signing: Software publishers use SHA-256 to sign executables
- API security: AWS request signing uses HMAC-SHA256
- Container images: Docker image digests are SHA-256 hashes
No practical attacks against SHA-256 have been demonstrated. The theoretical attack complexity is 2^128 operations — far beyond the capabilities of current and foreseeable computing technology.
SHA-512: Bigger but Not Always Better
SHA-512 is SHA-256's sibling — same design, but operating on 64-bit words instead of 32-bit words, producing a 512-bit hash. Counterintuitively, SHA-512 is often faster than SHA-256 on 64-bit processors because it processes data in larger chunks.
Use SHA-512 when: you need a longer hash for additional security margin, or when running on 64-bit systems where SHA-512 is actually faster.
Use SHA-256 when: you need interoperability (most systems use SHA-256), or when hash length matters (SHA-256 hashes are half the length of SHA-512).
Hashing for Password Storage
Never store passwords as raw hashes — even with SHA-256. Raw hashes are vulnerable to:
- Rainbow table attacks: Pre-computed tables mapping common passwords to their hashes
- Brute-force attacks: SHA-256 is designed to be fast, which makes it feasible to try billions of passwords per second
Instead, use purpose-built password hashing algorithms:
- bcrypt: Adds a configurable work factor and built-in salting. Industry standard since 1999.
- scrypt: Memory-hard function that resists GPU-based attacks.
- Argon2: Winner of the 2015 Password Hashing Competition. The current recommendation for new projects.
These algorithms are intentionally slow (configurable to take 100ms+ per hash), making brute-force attacks impractical.
HMAC: Hashing with a Secret Key
HMAC (Hash-based Message Authentication Code) combines a hash function with a secret key to produce an authenticated digest. Unlike a plain hash, an HMAC proves both integrity (the data has not been modified) and authenticity (the sender knows the secret key).
HMAC-SHA256(message, secret_key) → authenticated_digestHMAC is used in:
- API request signing (AWS Signature v4)
- Webhook verification (Stripe, GitHub)
- JWT signatures (HS256 = HMAC-SHA256)
- Cookie tampering detection
Choosing the Right Algorithm
For file integrity verification: SHA-256. It is the standard, well-supported, and secure.
For password storage: Argon2 or bcrypt. Never use SHA-256 or MD5 directly for passwords.
For non-security checksums: MD5 is acceptable for speed. CRC32 is even faster if you do not need cryptographic properties.
For digital signatures: SHA-256 or SHA-384 (used in TLS 1.3).
For blockchain/cryptocurrency: SHA-256 (Bitcoin) or Keccak-256 (Ethereum, which confusingly markets it as "SHA-3" despite using a different parameter set).
Practical Code Examples
Node.js (crypto module):
const crypto = require('crypto');
const hash = crypto.createHash('sha256').update('hello').digest('hex');
// 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824Browser (Web Crypto API):
const encoder = new TextEncoder();
const data = encoder.encode('hello');
const hashBuffer = await crypto.subtle.digest('SHA-256', data);
const hashArray = Array.from(new Uint8Array(hashBuffer));
const hashHex = hashArray.map(b => b.toString(16).padStart(2, '0')).join('');Python (hashlib):
import hashlib
hash_hex = hashlib.sha256(b'hello').hexdigest()Summary
Cryptographic hash functions are indispensable tools for data integrity, authentication, and security. MD5 and SHA-1 are broken and should only be used for non-security purposes. SHA-256 is the current standard for security-critical applications. For password storage, always use purpose-built algorithms like bcrypt or Argon2 that are designed to be slow. Understanding these distinctions helps you make the right security decisions in your applications.
Try the Related Tool
Put this knowledge into practice with our free, privacy-first tool.
Open Hash Tool →