SHA-256 vs MD5: Which Hash Function Should You Use?

What is a Hash Function?

A hash function takes an input of any size and produces a fixed-length string of characters, called a digest or hash. The same input always produces the same output, but even a tiny change to the input creates a completely different hash. This property makes hash functions essential for verifying data integrity, storing passwords, and securing digital communications.

A good cryptographic hash function has three critical properties. First, it must be pre-image resistant — given a hash, it should be computationally infeasible to find the original input. Second, it must be second pre-image resistant — given an input and its hash, it should be nearly impossible to find a different input that produces the same hash. Third, it must be collision resistant — it should be extremely difficult to find any two different inputs that produce the same hash.

With those fundamentals in mind, let's compare the most commonly discussed hash functions: MD5, SHA-1, SHA-256, and SHA-512.

MD5 — Fast, Familiar, and Broken

MD5 (Message Digest Algorithm 5) was designed by Ronald Rivest in 1991 as a successor to MD4. It produces a 128-bit (16-byte) hash, typically displayed as a 32-character hexadecimal string. For over a decade, MD5 was the default choice for checksums, password storage, and integrity verification.

MD5's greatest strength was always its speed. It can hash data extremely quickly, which made it attractive for file verification and deduplication. However, that same speed became a liability for password hashing, where slower algorithms are actually more secure because they resist brute-force attacks.

The real problem with MD5 is its vulnerability to collision attacks. In 2004, researchers demonstrated that they could generate two different inputs producing the same MD5 hash. By 2008, a team used MD5 collisions to forge a rogue SSL certificate from a trusted certificate authority. Today, generating MD5 collisions can be done in seconds on consumer hardware.

MD5("Hello")    → 8b1a9953c4611296a827abf8c47804d7
MD5("Hello!")   → 952d2c56d0485f7f5f5e3b4004f15168

The bottom line: never use MD5 for security purposes. It remains acceptable only for non-adversarial checksums, like verifying that a file downloaded correctly over a trusted connection.

SHA-1 — Better Than MD5, Still Deprecated

SHA-1 (Secure Hash Algorithm 1) was designed by the NSA and published by NIST in 1995. It produces a 160-bit (20-byte) hash, displayed as a 40-character hexadecimal string. SHA-1 was widely adopted in SSL certificates, Git version control, and digital signatures throughout the 2000s.

SHA-1 improved upon MD5 with a longer digest and stronger internal structure, but theoretical attacks began surfacing as early as 2005. In 2017, Google's Project SHAttered produced the first practical SHA-1 collision, generating two different PDF files with the same SHA-1 hash. The attack required significant computational resources but proved that SHA-1 could no longer be trusted for security.

Major browsers stopped accepting SHA-1 SSL certificates in 2017, and NIST formally deprecated SHA-1 for digital signatures. Git still uses SHA-1 for commit hashes but is migrating to SHA-256. If you encounter SHA-1 in legacy systems, plan a migration to SHA-256.

SHA-256 — The Current Standard

SHA-256 is part of the SHA-2 family, designed by the NSA and published by NIST in 2001. It produces a 256-bit (32-byte) hash, displayed as a 64-character hexadecimal string. SHA-256 is the most widely used member of the SHA-2 family and is considered the industry standard for cryptographic hashing in 2026.

SHA-256("Hello") → 185f8db32271fe25f561a6fc938b2e264306ec304eda518007d1764826381969

The security of SHA-256 comes from its resistance to all known attack methods. No collisions have ever been found, and brute-forcing a collision would require roughly 2^128 operations — a number so large that it exceeds the computational capacity of all existing hardware combined. SHA-256 is approved by NIST, required for US government applications, and forms the backbone of Bitcoin's proof-of-work algorithm.

SHA-256 is slower than MD5, but this is a feature rather than a flaw. For password hashing, the additional computation time per hash makes brute-force attacks significantly more expensive. For file integrity and digital signatures, the difference in speed is negligible on modern hardware.

SHA-512 — When Extra Security Matters

SHA-512, also part of the SHA-2 family, produces a 512-bit (64-byte) hash. It uses 64-bit operations internally, which means it actually runs faster than SHA-256 on 64-bit processors — a counterintuitive fact that makes SHA-512 an attractive choice on modern server hardware.

SHA-512 provides a larger security margin than SHA-256. While SHA-256 is considered secure against all known attacks, SHA-512 doubles the digest size, making it even more resistant to future advances in computing. Some organizations choose SHA-512 for long-term data archival, high-security government applications, and systems where the cost of a hash compromise would be catastrophic.

In practice, SHA-256 and SHA-512 are both considered secure. The choice between them often comes down to performance characteristics on your target platform and whether compliance requirements mandate a specific algorithm.

Hash Functions vs Encryption

A common misconception is that hashing and encryption are the same thing. They are fundamentally different. Encryption is reversible — you can decrypt ciphertext back to plaintext using a key. Hashing is one-way — there is no key, and you cannot recover the original data from the hash.

Encryption is used when you need to protect data in transit or at rest and later retrieve it: HTTPS, encrypted databases, secure messaging. Hashing is used when you need to verify data without storing or transmitting the original: password storage, digital signatures, file integrity checks.

When you store a password, you hash it. When a user logs in, you hash their input and compare it to the stored hash. The actual password is never stored or recoverable. This is why secure systems cannot "send you your password" — they can only reset it.

Practical Use Cases for Each

Choosing the right hash function depends on your specific requirements. Here is a practical breakdown:

• MD5: Non-security checksums, cache keys, deduplication in trusted environments, legacy system compatibility. Never use for passwords or security.
• SHA-1: Avoid for new projects. Acceptable only for backward compatibility with systems that have not yet migrated (like older Git repositories).
• SHA-256: Digital signatures, SSL/TLS certificates, blockchain, password hashing (combined with bcrypt/PBKDF2/Argon2), software integrity verification, API authentication (HMAC-SHA256). This is your default choice.
• SHA-512: High-security government systems, long-term archival, 64-bit server environments where its performance advantage over SHA-256 matters, and any application requiring the maximum security margin available in the SHA-2 family.

For password hashing specifically, do not use any of these algorithms alone. Use a dedicated password hashing function like bcrypt, scrypt, or Argon2, which incorporate salting and adjustable work factors. These functions may use SHA-256 or SHA-512 internally, but they add critical protections against rainbow table and brute-force attacks.

The era of MD5 and SHA-1 for security is over. SHA-256 is the safe, reliable default for virtually all modern applications. Use it unless you have a specific, well-justified reason to choose something else.