Hash Algorithms Guide: MD5, SHA-1, SHA-256 and Beyond
Comprehensive guide to cryptographic hash functions including MD5, SHA-1, SHA-256, and SHA-512. Learn when to use each algorithm and understand their security implications.
What is a Hash Function?
A cryptographic hash function is a mathematical algorithm that maps data of arbitrary size to a fixed-size bit string. The output, called a hash value or digest, acts as a unique digital fingerprint of the input data.
Key Properties of Hash Functions
- Deterministic: Same input always produces the same output
- Fast computation: Hash can be computed quickly
- One-way function: Infeasible to reverse the hash to get original data
- Collision resistant: Hard to find two different inputs with same hash
- Avalanche effect: Small input change drastically changes the output
Common Hash Algorithms
1. MD5 (Message Digest 5)
Produces a 128-bit (16-byte) hash value. While fast and widely used historically, MD5 is now considered cryptographically broken and unsuitable for security purposes.
Example MD5 Hash
Input: "Hello World" MD5: b10a8db164e0754105b7a99be72e3fe5Use cases: Checksums, non-security data integrity verification
Security status: ❌ Not secure - vulnerable to collision attacks
2. SHA-1 (Secure Hash Algorithm 1)
Produces a 160-bit (20-byte) hash value. Once widely used for SSL certificates and Git, SHA-1 has been deprecated due to collision vulnerabilities demonstrated in 2017.
Example SHA-1 Hash
Input: "Hello World" SHA-1: 0a4d55a8d778e5022fab701977c5d840bbc486d0Use cases: Legacy systems, Git commit hashing (being phased out)
Security status: ⚠️ Deprecated - collision attacks possible
3. SHA-256 (SHA-2 Family)
Produces a 256-bit (32-byte) hash value. Part of the SHA-2 family, it's currently the recommended standard for most security applications. Used in SSL/TLS, Bitcoin, and many other systems.
Example SHA-256 Hash
Input: "Hello World" SHA-256: a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146eUse cases: SSL/TLS certificates, blockchain, password hashing (with salt), digital signatures
Security status: ✅ Secure - recommended for current use
4. SHA-512 (SHA-2 Family)
Produces a 512-bit (64-byte) hash value. Offers higher security margins than SHA-256 at the cost of slightly slower performance.
Example SHA-512 Hash
Input: "Hello World" SHA-512: 2c74fd17edafd80e8447b0d46741ee243b7eb74dd2149a0ab1b9246fb30382f27e...Use cases: High-security applications, cryptographic operations
Security status: ✅ Secure - recommended for high-security needs
Choosing the Right Algorithm
For Data Integrity (Non-Security)
Use MD5 or SHA-1 for checksums where speed is important and security isn't critical, such as detecting accidental file corruption.
For Security Applications
Always use SHA-256 or SHA-512. Never use MD5 or SHA-1 for passwords, digital signatures, or any security-critical application.
For Password Storage
Don't use plain hash algorithms for passwords! Instead, use dedicated password hashing functions like bcrypt, scrypt, or Argon2, which include salting and key stretching.
Common Mistakes to Avoid
- Using MD5/SHA-1 for security: These are broken for cryptographic purposes
- Not using salt with passwords: Rainbow table attacks can crack unsalted hashes
- Comparing hashes incorrectly: Use constant-time comparison to prevent timing attacks
- Truncating hash outputs: This weakens security significantly
Practical Applications
File Integrity Verification
Hash functions verify that downloaded files haven't been tampered with or corrupted:
# Verify downloaded file
echo "expected_hash downloaded_file.zip" | sha256sum -cAPI Request Signing
Hash the request payload to create tamper-proof API signatures:
const crypto = require('crypto');
const signature = crypto
.createHmac('sha256', secretKey)
.update(requestBody)
.digest('hex');Try Our Hash Generator Tool
Generate and compare hashes using multiple algorithms: