MD5 vs SHA-256: Which Hash Should You Use?

May 2026 · 7 min read

A hash function takes any input — a string, a file, a password — and produces a fixed-length output called a hash or digest. The same input always produces the same hash. Any change to the input, even a single character, produces a completely different hash.

The four hash algorithms you will encounter most often are MD5, SHA-1, SHA-256, and SHA-512. They look similar at a glance, but they differ significantly in output size, speed, and security. Choosing the wrong one is one of the most common security mistakes in web development.

Generate hashes instantly in your browser:

Open Hash Generator →

Quick comparison

Algorithm Output size Hex chars Security Use for
MD5 128 bits 32 Broken Checksums, cache keys
SHA-1 160 bits 40 Deprecated Git commit IDs (legacy)
SHA-256 256 bits 64 Secure TLS, JWTs, signatures
SHA-512 512 bits 128 Secure High-security signing

MD5 — fast, broken, still everywhere

MD5 was designed in 1991 and was the default hashing algorithm for decades. It produces a 128-bit (32 hex character) digest very quickly. The problem: MD5 is cryptographically broken. Researchers have demonstrated practical collision attacks since 2004 — meaning two different inputs can be deliberately crafted to produce the same MD5 hash.

Example MD5 hashes:

MD5("hello") = 5d41402abc4b2a76b9719d911017c592
MD5("Hello") = 8b1a9953c4611296a827abf8c47804d7

What MD5 is still fine for:

  • File checksums where you control both sides and collisions are not a threat (e.g. detecting accidental corruption, not malicious tampering)
  • Cache keys and deduplication where speed matters and security is irrelevant
  • Non-security fingerprinting (URL shorteners, ETag headers)

What you must never use MD5 for:

  • Password storage — even with MD5, rainbow tables can crack most passwords in seconds
  • Digital signatures
  • Certificate fingerprints
  • Any security-sensitive integrity check

SHA-1 — deprecated but still in the wild

SHA-1 produces a 160-bit (40 hex character) digest. Google demonstrated a practical SHA-1 collision in 2017 (the SHAttered attack), and all major browsers and CAs stopped accepting SHA-1 certificates. It is still used in Git commit IDs (though Git is migrating to SHA-256) and some legacy systems.

Do not use SHA-1 for any new development. If you are maintaining a legacy system that uses SHA-1, plan a migration to SHA-256.

SHA-1("hello") = aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d

SHA-256 — the standard choice

SHA-256 is part of the SHA-2 family, standardized by NIST in 2001. It produces a 256-bit (64 hex character) digest and is considered secure against all known attacks. It is the algorithm behind TLS certificates, Bitcoin, JWT signatures (HS256, RS256), and most modern cryptographic systems.

SHA-256("hello") = 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824

Use SHA-256 for:

  • HMAC signatures for API authentication
  • Data integrity verification (file downloads, webhooks)
  • JWT tokens (HS256 / RS256 / ES256)
  • TLS certificate hashing
  • Blockchain and proof-of-work systems

SHA-512 — more security margin

SHA-512 produces a 512-bit (128 hex character) digest. It offers a larger security margin than SHA-256 and is actually faster than SHA-256 on 64-bit CPUs due to its 64-bit word operations. Use it when you need the strongest possible hash output — for example, high-value signing keys, government-grade data integrity, or long-term archival hashing.

SHA-512("hello") = 9b71d224bd62f3785d96d46ad3ea3d73319bfbc2890caadae2dff72519673ca72323c3d99ba5c11d7c7acc6e14b8c5da0c4663475c2e5c3adef46f73bcdec043

The critical mistake: hashing passwords

This is the single most important point in this article: do not use MD5, SHA-1, SHA-256, or SHA-512 directly to store passwords.

All of these algorithms are designed to be fast. Fast is bad for password storage — it means an attacker with a GPU can test billions of passwords per second against a stolen hash database. In 2024, a modern GPU can crack an unsalted MD5 password hash of a typical password in milliseconds.

For passwords, use a dedicated password hashing function that is deliberately slow and includes a salt:

  • bcrypt — the most widely supported. Tunable cost factor. Good default choice.
  • Argon2 — winner of the Password Hashing Competition (2015). Memory-hard. Recommended for new systems.
  • PBKDF2 — NIST-approved. Required for FIPS compliance. Uses a configurable iteration count.
  • scrypt — memory-hard, computationally intensive. Used in Litecoin and some Linux distributions.
// Node.js — bcrypt example
import bcrypt from 'bcrypt';

const hash = await bcrypt.hash(password, 12); // 12 = cost factor
const match = await bcrypt.compare(inputPassword, hash);

Practical rule of thumb

  • Passwords → bcrypt / Argon2 (never raw hashes)
  • API signatures, JWTs, data integrity → SHA-256
  • High-security signing → SHA-512
  • Non-security checksums, cache keys → MD5 is acceptable
  • Legacy Git compatibility → SHA-1 is acceptable
  • New systems → never use MD5 or SHA-1 for anything security-related

Generate MD5, SHA-1, SHA-256, and SHA-512 hashes in your browser with the free Hash Generator →

Related Articles