← All Guides
🛠️ Developer Tools

Hash Algorithms Explained: MD5, SHA-1, SHA-256, and SHA-512

5 min read · Updated June 2026

Hash functions convert any input into a fixed-length fingerprint. They're essential for verifying data integrity, storing passwords, and digital signatures. But not all hashes are created equal — MD5 is broken for security, while SHA-256 is the modern standard.

What Is a Hash Function?

A cryptographic hash function has three key properties:

  • Deterministic — same input always produces the same output
  • One-way — you can't reverse a hash back to the original input
  • Avalanche effect — changing one bit of input completely changes the output

Algorithm Comparison

AlgorithmOutput SizeSecurityUse Case
MD5128-bitBrokenLegacy only, file checksums (non-security)
SHA-1160-bitBrokenLegacy only, Git objects
SHA-256256-bitSecurePasswords, TLS, blockchain, general purpose
SHA-512512-bitSecureHigh-security applications, large data

Common Use Cases

  • File integrity — Verify downloads match the published hash (SHA-256 is standard)
  • Password storage — Never store plaintext passwords; use bcrypt or Argon2 (not raw SHA-256)
  • Data deduplication — Compare file hashes instead of file contents
  • Digital signatures — Hash the message, then sign the hash
  • API request signing — AWS, Stripe, and others use HMAC-SHA256 for authentication

Why MD5 and SHA-1 Are Broken

Collision attacks mean two different inputs can produce the same hash. For MD5, this was demonstrated in 2004. For SHA-1, a real-world collision ("SHAttered") was demonstrated in 2017. Never use them for security-critical purposes.

Password Hashing: Don't Use Raw SHA-256

Raw hash functions are too fast for passwords. Use a purpose-built algorithm:

  • bcrypt — Industry standard, built-in salt, adjustable cost factor
  • Argon2 — Winner of the Password Hashing Competition, memory-hard
  • scrypt — Memory-hard, used in cryptocurrency mining

# Generate hashes Instantly

Use our Hash Generator to compute MD5, SHA-1, SHA-256, and SHA-512 hashes for any text — 100% in your browser, no data sent to any server.

The Bottom Line

  1. Use SHA-256 or SHA-512 for general-purpose hashing
  2. MD5 and SHA-1 are broken — only use for non-security checksums
  3. Never store passwords with raw SHA — use bcrypt or Argon2
  4. Always salt password hashes to prevent rainbow table attacks
  5. Use HMAC-SHA256 for API request signing and authentication

Disclaimer: This guide is for informational purposes only and does not constitute security advice. Always follow current OWASP guidelines for cryptographic implementations.