Hash functions are everywhere in software: password storage, file integrity checks, digital signatures, content addressing, caching. Picking the right one depends on what you’re trying to accomplish. Here’s a straightforward comparison of the three most commonly encountered hash algorithms.
What hashing does
A hash function takes an input of any size and produces a fixed-size output (the “digest” or “hash”). The same input always produces the same output. Even a single bit change in the input produces a completely different hash — this is called the avalanche effect.
Crucially, hash functions are one-way. You can go from input to hash, but you can’t reverse the process to recover the input. This isn’t encryption (there’s no key to decrypt with); it’s a lossy transformation.
MD5: fast but broken
MD5 produces a 128-bit (32-character hex) digest. It was designed in 1991 by Ronald Rivest and was the go-to hash function for over a decade.
The problem: MD5 is cryptographically broken. Collision attacks — where two different inputs produce the same hash — are practical and fast. In 2004, researchers demonstrated collisions. By 2008, researchers created a rogue CA certificate using an MD5 collision. Today, generating MD5 collisions takes seconds on commodity hardware.
When MD5 is still fine: Non-security contexts where you just need a fast checksum. Deduplication, cache keys, hash-based partitioning, ETags. If an attacker crafting a collision isn’t in your threat model, MD5 works and it’s fast. Many developers use our MD5 hash generator for exactly these use cases.
When MD5 is not fine: Anything security-related. Password hashing, digital signatures, certificate validation, integrity verification in adversarial contexts. Don’t use it here.
SHA-256: the current standard
SHA-256 is part of the SHA-2 family, designed by the NSA and published in 2001. It produces a 256-bit (64-character hex) digest. No practical collision attacks exist against SHA-256, and none are expected with current technology.
SHA-256 is used in TLS certificates, Git (for commit hashes), Bitcoin’s proof-of-work, and countless other systems. It’s the safe default when you need a cryptographic hash.
Performance: SHA-256 is slower than MD5 — roughly 3-4x slower in software implementations. For most applications this doesn’t matter. If you’re hashing user passwords, you should be using a dedicated password hashing function anyway (bcrypt, scrypt, Argon2), not a raw hash.
Our SHA-256 hash generator lets you quickly hash strings and verify digests right in the browser.
SHA-512: more bits, different trade-offs
SHA-512 is SHA-256’s bigger sibling, producing a 512-bit (128-character hex) digest. Same SHA-2 family, same security properties, different internal structure.
The interesting wrinkle: SHA-512 is often faster than SHA-256 on 64-bit processors. SHA-256 uses 32-bit operations internally, while SHA-512 uses 64-bit operations. On modern 64-bit CPUs, SHA-512 can actually be the faster option. On 32-bit or embedded systems, SHA-256 is faster.
SHA-512 provides a larger security margin (256 bits of collision resistance vs 128 bits for SHA-256). Both are well beyond what’s practically attackable, but some high-security applications prefer the extra margin. You can generate these with our SHA-512 hash generator.
Quick comparison
- MD5 — 128-bit output, fast, broken for security use. Fine for checksums and non-adversarial hashing.
- SHA-256 — 256-bit output, cryptographically strong, widely supported. The safe default for most applications.
- SHA-512 — 512-bit output, cryptographically strong, faster on 64-bit hardware. Choose when you want extra margin or are on a 64-bit system and need speed.
What about SHA-1?
SHA-1 sits between MD5 and SHA-256 in both security and output size (160 bits). Like MD5, it’s cryptographically broken — Google and CWI Amsterdam demonstrated a practical collision in 2017 (the “SHAttered” attack). Git still uses SHA-1 for backward compatibility but is migrating to SHA-256. Don’t choose SHA-1 for new projects.
What about SHA-3?
SHA-3 (Keccak) was standardized in 2015 as a backup in case SHA-2 was broken. SHA-2 remains secure, so SHA-3 adoption has been slow. It uses a completely different internal design (a sponge construction instead of Merkle-Damgaard). It’s a valid choice but rarely necessary unless you have specific compliance or diversity requirements.
Making the choice
For most developers, the decision tree is simple:
- Need a quick checksum with no security requirements? MD5 is fine.
- Need a cryptographic hash? Use SHA-256.
- On a 64-bit system and want speed plus a larger security margin? SHA-512.
- Hashing passwords? None of these — use bcrypt, scrypt, or Argon2 instead.
The password point is worth repeating. Raw hash functions are designed to be fast. Password hashing functions are designed to be slow (to make brute-force attacks expensive). They’re different tools for different jobs.