MD5 vs SHA-256: Which Hash Algorithm Should You Use?
Hashing is one of the most fundamental operations in computing — yet choosing the wrong algorithm can expose your system to collision attacks, data corruption, or unnecessary performance overhead. This guide compares the four most widely used hash algorithms and gives you a clear decision framework.
What Is a Hash Function?
A cryptographic hash function takes arbitrary input data and produces a fixed-size output (the “digest” or “hash”). Good hash functions have three properties:
- Deterministic: The same input always produces the same output.
- One-way: You cannot reverse the hash to recover the original input.
- Collision-resistant: It should be computationally infeasible to find two different inputs that produce the same hash.
When property #3 breaks, the algorithm is considered “cryptographically broken” — this is exactly what happened to MD5 and SHA-1.
Algorithm Comparison at a Glance
| Property | MD5 | SHA-1 | SHA-256 | SHA-512 |
|---|---|---|---|---|
| Output size | 128 bits (32 hex chars) | 160 bits (40 hex chars) | 256 bits (64 hex chars) | 512 bits (128 hex chars) |
| Block size | 512 bits | 512 bits | 512 bits | 1024 bits |
| Year introduced | 1991 | 1995 | 2001 | 2001 |
| Designer | Ron Rivest | NSA / NIST | NSA / NIST | NSA / NIST |
| Collision resistance | Broken (2004) | Broken (2017) | Secure | Secure |
| Speed (relative) | Fastest | Fast | Moderate | Moderate (faster on 64-bit) |
| NIST status | Deprecated | Deprecated | Recommended | Recommended |
MD5: Fast but Broken
MD5 (Message-Digest Algorithm 5) was designed by Ronald Rivest in 1991 and became the de facto standard for checksums throughout the 1990s and early 2000s. It produces a 128-bit hash in 32 hexadecimal characters.
Why MD5 Is Broken
In 2004, Xiaoyun Wang demonstrated practical collision attacks against MD5. By 2008, researchers created a rogue SSL certificate using MD5 collisions, proving the attack was not just theoretical. Today, MD5 collisions can be generated in seconds on consumer hardware.
// Generate an MD5 hash (for non-security use only)
// Using the Web Crypto API is not available for MD5 — use a library
import { md5 } from 'hash-wasm';
const hash = await md5('Hello, World!');
console.log(hash);
// → 'bea8252ff4e80f41719ea13cdf007273' (32 hex chars)When MD5 Is Still Acceptable
Despite being cryptographically broken, MD5 remains useful for non-security applications:
- File deduplication: Detecting duplicate files in storage systems
- Cache keys: Generating short, deterministic keys for cache lookups
- Data integrity checksums: Quick verification that data was not accidentally corrupted (not deliberately tampered with)
- Legacy system compatibility: Interoperating with older systems that require MD5
The key distinction: MD5 protects against accidental corruption but not against deliberate manipulation.
SHA-1: Deprecated but Lingering
SHA-1 (Secure Hash Algorithm 1) was designed by the NSA and published by NIST in 1995. It produces a 160-bit hash in 40 hexadecimal characters.
In 2017, Google and CWI Amsterdam demonstrated the first practical SHA-1 collision (the “SHAttered” attack), generating two different PDF files with the same SHA-1 hash. Major browsers and certificate authorities had already begun rejecting SHA-1 certificates by 2016.
Use SHA-1 only for compatibility with systems that require it (e.g., Git uses SHA-1 for commit hashes, though it is transitioning to SHA-256). For any new development, choose SHA-256 or stronger.
SHA-256: The Current Standard
SHA-256 is part of the SHA-2 family, designed by the NSA and published by NIST in 2001. It produces a 256-bit hash in 64 hexadecimal characters and is the recommended algorithm for virtually all hashing needs in 2026.
// Generate a SHA-256 hash using the Web Crypto API (browser-native)
async function sha256(text) {
const data = new TextEncoder().encode(text);
const hash = await crypto.subtle.digest('SHA-256', data);
return Array.from(new Uint8Array(hash))
.map(b => b.toString(16).padStart(2, '0'))
.join('');
}
const hash = await sha256('Hello, World!');
console.log(hash);
// → 'dffd6021bb2bd5b0af676290809ec3a53191dd81c7f70a4b28688a362182986f'Why SHA-256 Is the Default Choice
- No known attacks: As of 2026, no practical collision or preimage attacks exist
- Browser-native: Available via the Web Crypto API in all modern browsers — no libraries needed
- Industry standard: Used by TLS certificates, Bitcoin, package managers (npm, pip), Docker image digests, and most integrity verification systems
- NIST approved: Recommended for all security-sensitive applications
SHA-512: When You Need More
SHA-512 produces a 512-bit hash in 128 hexadecimal characters. It uses a 1024-bit block size (vs SHA-256’s 512 bits), which makes it faster than SHA-256 on 64-bit processors because it processes more data per cycle.
# Python: SHA-512 is just as easy as SHA-256
import hashlib
hash_256 = hashlib.sha256(b'Hello, World!').hexdigest()
hash_512 = hashlib.sha512(b'Hello, World!').hexdigest()
print(f"SHA-256: {hash_256}") # 64 chars
print(f"SHA-512: {hash_512}") # 128 charsUse SHA-512 when:
- You need a larger security margin (256-bit collision resistance vs 128-bit for SHA-256)
- Your platform is 64-bit and performance matters (SHA-512 can be 1.5x faster than SHA-256 on x86-64)
- The protocol or spec requires it (some certificate schemes, specific compliance requirements)
For most applications, SHA-256 is sufficient. The extra length of SHA-512 hashes doubles storage and bandwidth without a practical security benefit for typical use cases.
Decision Framework: Which Hash to Use
For file integrity and checksums
Use SHA-256. It is the standard for verifying downloads, comparing file contents, and ensuring data was not corrupted. If you are replacing an existing MD5-based system, SHA-256 is the drop-in upgrade.
# Verify a download's integrity
sha256sum downloaded-file.tar.gz
# Compare output against the published hashFor password storage
Use neither MD5 nor SHA-256 directly. General-purpose hash functions are too fast for password hashing — an attacker can try billions of guesses per second. Instead, use a dedicated password hashing algorithm:
| Algorithm | Status | Notes |
|---|---|---|
| Argon2id | Recommended | Winner of the 2015 Password Hashing Competition; memory-hard |
| bcrypt | Good | Widely supported; built-in salt; adjustable work factor |
| scrypt | Good | Memory-hard; used by some cryptocurrency systems |
| PBKDF2 | Acceptable | NIST approved but not memory-hard; use ≥600,000 iterations |
| SHA-256 | Inadequate | Too fast; no built-in salt; vulnerable to GPU attacks |
| MD5 | Dangerous | Broken + too fast; trivially cracked |
// WRONG: Don't hash passwords with SHA-256
const hash = await sha256(password); // Crackable at billions/sec
// RIGHT: Use bcrypt (Node.js example)
import bcrypt from 'bcrypt';
const hash = await bcrypt.hash(password, 12); // 12 rounds = ~250ms
const isValid = await bcrypt.compare(input, hash);For HMAC and message authentication
Use SHA-256 with HMAC. HMAC (Hash-based Message Authentication Code) combines a hash function with a secret key to verify both integrity and authenticity:
// HMAC-SHA256 for webhook signature verification
async function verifyWebhook(payload, signature, secret) {
const key = await crypto.subtle.importKey(
'raw', new TextEncoder().encode(secret),
{ name: 'HMAC', hash: 'SHA-256' }, false, ['verify']
);
const sig = Uint8Array.from(atob(signature), c => c.charCodeAt(0));
return crypto.subtle.verify('HMAC', key, sig, new TextEncoder().encode(payload));
}For content-addressable storage
Use SHA-256. Git, Docker, and IPFS all use content-addressable storage where the hash of the content serves as its address. SHA-256 provides sufficient collision resistance to guarantee uniqueness across billions of objects.
Performance Benchmarks
Relative hashing speed on a modern x86-64 processor (higher = faster):
| Algorithm | Throughput (MB/s) | Relative Speed |
|---|---|---|
| MD5 | ~3,200 | 1.0x (baseline) |
| SHA-1 | ~2,400 | 0.75x |
| SHA-256 | ~1,500 | 0.47x |
| SHA-512 | ~2,100 | 0.66x |
Note: SHA-512 is faster than SHA-256 on 64-bit processors due to its wider internal state. On 32-bit systems, the situation reverses. For most applications, the speed difference is irrelevant — hashing a 1 MB file takes under 1 ms with any of these algorithms.
Common Mistakes to Avoid
1. Using MD5 for security
MD5 collisions are trivial to generate. Never use MD5 for digital signatures, certificate validation, or any scenario where an attacker could craft malicious input.
2. Hashing passwords with SHA-256
SHA-256 is not a password hash. It is too fast, has no built-in salt, and is vulnerable to rainbow table and GPU-accelerated brute-force attacks. Use Argon2id or bcrypt.
3. Assuming hash length equals security
A 512-bit hash is not automatically “more secure” than a 256-bit hash for collision resistance. The security margin of SHA-256 (128-bit collision resistance) is already far beyond brute-force capability. Choose based on your actual requirements, not hash length.
4. Rolling your own hash combinations
Patterns like SHA256(MD5(data)) or MD5(data + salt) do not magically fix a broken algorithm. Use a single, well-vetted algorithm (SHA-256) or a proper construction (HMAC) instead.
Try It Yourself
Generate and compare MD5, SHA-1, SHA-256, and SHA-512 hashes instantly with our Hash Generator — paste text or drop a file, and see all four digests side by side. 100% in your browser, no data ever leaves your device.
For a broader look at web security including authentication, input validation, and security headers, read our Web Security Essentials guide.
Frequently Asked Questions
Is MD5 still safe for checksums?
MD5 is safe for detecting accidental file corruption — if a file is damaged during download, the MD5 hash will almost certainly change. However, MD5 is not safe against deliberate tampering because an attacker can craft a modified file with the same MD5 hash. For integrity verification where adversaries are a concern (e.g., software distribution), use SHA-256 instead.
How much slower is SHA-256 compared to MD5?
SHA-256 is roughly 2x slower than MD5 in raw throughput. On modern hardware, MD5 hashes at about 3,200 MB/s while SHA-256 hashes at about 1,500 MB/s. In practice, this difference is negligible for most applications — hashing a 100 MB file takes about 70 ms with SHA-256. The performance gap only matters for very high-throughput scenarios like network packet inspection or storage deduplication at scale.
Should I use SHA-256 or SHA-512 for my application?
Use SHA-256 for most applications — it provides 128-bit collision resistance, which is far beyond brute-force capability. Choose SHA-512 if: (a) your platform is 64-bit and you need maximum throughput, (b) a specification or compliance requirement mandates it, or (c) you want a larger security margin for long-term data integrity. The extra hash length of SHA-512 doubles storage and is rarely necessary.
Can SHA-256 be cracked or reversed?
SHA-256 cannot be reversed — it is a one-way function. As of 2026, no practical preimage or collision attacks exist against SHA-256. The best known attack requires 2^128 operations for collisions, which is computationally infeasible with current or foreseeable technology. SHA-256 is approved by NIST and used in critical infrastructure including TLS, Bitcoin, and federal systems.
Why do some systems still use MD5 if it is broken?
Legacy compatibility is the main reason. Many existing systems, protocols, and file formats were designed around MD5 before its weaknesses were discovered. Migrating away requires coordinated changes across all components. For non-security uses like cache keys and deduplication, MD5’s speed advantage and shorter output make it a pragmatic choice where collision attacks are not a threat model concern.