MD5 vs SHA-256: Which Hash Algorithm Should You Use?
Hashing is fundamental to software engineering โ it underpins password storage, file integrity checks, digital signatures, and caching. But not all hash functions are equal. MD5 and SHA-1 are still widely encountered, yet security-sensitive code should avoid them entirely. This guide explains the practical differences and helps you pick the right algorithm for your use case.
What Is a Cryptographic Hash Function?
A cryptographic hash function takes an input of any length and produces a fixed-length output (the digest). Three properties define a secure hash function:
- Deterministic โ the same input always produces the same digest.
- Preimage resistant โ given a digest, it is computationally infeasible to find the original input.
- Collision resistant โ it is computationally infeasible to find two different inputs that produce the same digest.
When any of these properties breaks down, the algorithm is considered broken for security purposes.
MD5 (128-bit)
MD5 was designed by Ron Rivest in 1991 and produces a 128-bit (32-character hex) digest. It was widely adopted for password hashing, checksums, and digital certificates โ but its collision resistance was broken in 2004. Researchers demonstrated that two different files could be crafted to produce the same MD5 hash in a matter of seconds on a modern laptop.
Use MD5 for: Non-security checksums, caching keys, hash-based data partitioning. Its speed makes it useful where you need fast deduplication and security is not a concern.
Do not use MD5 for: Password storage, file integrity verification against malicious tampering, digital signatures, or any security-sensitive context.
SHA-1 (160-bit)
SHA-1 produces a 160-bit (40-character hex) digest and was the successor to MD5. It was widely used in TLS certificates, Git object identifiers, and code signing. Google's SHAttered attack in 2017 demonstrated a practical SHA-1 collision, producing two different PDF files with the same SHA-1 hash. Most certificate authorities stopped issuing SHA-1 certificates in 2016; browsers now reject them.
Notable exception: Git still uses SHA-1 internally for object addressing, though a collision in this context is much harder to weaponise because Git also stores object types in the hashed content. Git is gradually migrating to SHA-256 (via --object-format=sha256).
Do not use SHA-1 for: Any new security application. It exists in legacy systems that have not yet been updated.
SHA-256 (256-bit)
SHA-256 is part of the SHA-2 family, designed by the NSA and published in 2001. It produces a 256-bit (64-character hex) digest. No practical attacks against SHA-256's collision resistance have been demonstrated, and it is the current industry standard for most security applications.
Use SHA-256 for:
- File integrity verification (software downloads, build artifacts)
- HMAC message authentication (JWT signatures with HS256)
- TLS certificate fingerprints
- Code signing
- Blockchain and cryptocurrency (Bitcoin uses SHA-256d)
- General-purpose secure hashing
SHA-512 (512-bit)
SHA-512 also belongs to the SHA-2 family and produces a 512-bit (128-character hex) digest. It is marginally more secure than SHA-256 due to its larger output size, and it can actually be faster than SHA-256 on 64-bit hardware because it processes data in 64-bit words versus 32-bit words for SHA-256.
Use SHA-512 for: Applications where the additional digest length is beneficial โ such as signing large files, deriving cryptographic keys, or systems that need to guard against advances in quantum computing.
What About Password Hashing?
None of the above algorithms โ not even SHA-256 โ are appropriate for storing passwords directly. General-purpose hash functions are designed to be fast, which makes them easy to brute-force. An attacker with a GPU can try billions of SHA-256 hashes per second.
For passwords, use a key derivation function designed to be computationally expensive: bcrypt, scrypt, or Argon2 (the current recommendation). These are specifically tuned to make brute-force attacks impractical.
Quick Reference
| Algorithm | Output size | Speed | Secure? | Use case |
|---|---|---|---|---|
| MD5 | 128 bits | Very fast | No (collision broken) | Non-security checksums, cache keys |
| SHA-1 | 160 bits | Fast | No (collision broken) | Legacy systems only |
| SHA-256 | 256 bits | Fast | Yes | File integrity, HMAC, TLS, general security |
| SHA-512 | 512 bits | Fast (64-bit hardware) | Yes | High-security, key derivation input |
Key Takeaways
- MD5 and SHA-1 have broken collision resistance โ do not use them for security.
- SHA-256 is the safe default for new systems.
- SHA-512 is a reasonable upgrade when you need a larger digest.
- For passwords, use bcrypt, scrypt, or Argon2 โ never a raw hash function.