What Is a Hash Function?
A hash function is a mathematical algorithm that transforms any input — a password, a file, or a message — into a fixed-length string of characters called a digest or hash. A good hash function is deterministic (same input always produces the same output), fast to compute, and practically impossible to reverse.
Hash functions are foundational to modern computing: they secure passwords in databases, verify file integrity, power digital signatures, and protect blockchain transactions. But not all hash functions are created equal. Choosing the wrong one can leave your system wide open to attacks.
In this guide, we'll break down the three most common ones — MD5, SHA-256, and SHA-512 — in plain English, so you can make an informed decision.
The Contenders at a Glance
| Property | MD5 | SHA-256 | SHA-512 |
|---|---|---|---|
| Output Size | 128 bits (32 hex chars) | 256 bits (64 hex chars) | 512 bits (128 hex chars) |
| Speed | 🟢 Fastest | 🟡 Moderate | 🔴 Slowest |
| Security | 🔴 Broken (collisions found) | 🟢 Strong | 🟢 Very Strong |
| Collision Resistance | ❌ Practically none | ✅ Excellent | ✅ Exceptional |
| Standard | RFC 1321 (1992) | FIPS 180-4 (2001) | FIPS 180-4 (2001) |
| Common Use Today | Checksums (non-security) | SSL, Git, Bitcoin | Password hashing, signatures |
Technical deep-dive: bit depth, security rating, sample digest strings & relative speed — SHA-256 vs MD5 vs SHA-512
MD5: The Fast but Broken Veteran
Designed by Ron Rivest in 1992, MD5 (Message Digest 5) was once the gold standard of hashing. It produces a 128-bit digest from any input. It is blazingly fast — hashing gigabytes of data in milliseconds — which made it popular for checksums and file verification.
But MD5 has one catastrophic flaw: collisions. A collision occurs when two different inputs produce the same hash. In 1996, cryptographers discovered theoretical weaknesses. By 2004, researchers were generating real-world collisions in hours. Today, an attacker with a modern GPU can produce deliberate MD5 collisions in seconds.
💡 Real-world impact: The Flame malware (2012) exploited MD5 collisions to forge a fake Microsoft certificate, allowing it to sign malicious code as legitimate Windows updates.
When is MD5 still acceptable? For purely non-security purposes — like generating a quick checksum to verify a downloaded file hasn't been corrupted in transit (not tampered with) — MD5 is still fast and convenient. It's also commonly used in legacy systems that haven't been migrated yet.
Never use MD5 for: passwords, cryptographic signatures, or any context where an adversary could deliberately engineer a collision.
SHA-256: The Current Industry Standard
SHA-256 is part of the SHA-2 family, published by the NSA in 2001 and standardised in FIPS 180-4. It produces a 256-bit (32-byte) digest. Unlike MD5, no practical collision has ever been found in SHA-256. It is the backbone of modern cryptographic infrastructure.
Here's where you'll find SHA-256 powering everything around you:
- TLS/HTTPS certificates — Nearly every website you visit over HTTPS uses SHA-256 in its certificate chain.
- Git version control — Every Git commit is identified by a SHA-256 hash (since Git 2.29+).
- Bitcoin — The entire Bitcoin proof-of-work mining algorithm is based on double SHA-256.
- Code signing — macOS, Windows, and Linux package managers use SHA-256 to verify software integrity.
- JWT (JSON Web Tokens) — The most common JWT algorithm, HS256, uses SHA-256 internally.
SHA-256 strikes the ideal balance between security and performance. On modern 64-bit processors, it's fast enough for almost any application without sacrificing cryptographic strength.
🔐 Security margin: A brute-force attack on SHA-256 would require 2128 operations — more compute than all supercomputers on Earth combined could do in billions of years.
SHA-512: The Heavy-Duty Option
SHA-512 also belongs to the SHA-2 family but operates on 64-bit words internally, making it uniquely suited for 64-bit processor architectures. It produces a 512-bit (64-byte) digest — twice the length of SHA-256. This gives it an even larger security margin, though SHA-256 is already considered unbreakable with current technology.
Interestingly, SHA-512 is often faster than SHA-256 on 64-bit systems because its internal block operations are more efficient on modern 64-bit CPUs. On 32-bit systems or mobile hardware, it's slower.
Where SHA-512 shines:
- Password hashing (used inside bcrypt/PBKDF2 as a building block) — the longer digest adds entropy
- Digital signatures on sensitive documents where maximum security is paramount
- Data integrity verification of large files where you need absolute confidence
- HMAC authentication in high-security server-to-server communication
What About SHA-1?
SHA-1 is the older sibling of SHA-256, producing a 160-bit digest. Like MD5, SHA-1 has been deprecated due to collision attacks. Google's Project Zero team demonstrated a practical SHA-1 collision in 2017 (the "SHAttered" attack). All major browsers and certificate authorities stopped accepting SHA-1 certificates in 2016–2017.
Rule of thumb: If you're considering SHA-1, use SHA-256 instead. Full stop.
The Password Hashing Trap
One common mistake developers make is using SHA-256 or SHA-512 directly for password storage. While both are cryptographically secure as general hash functions, they are too fast for password hashing.
An attacker with a modern GPU cluster can compute billions of SHA-256 hashes per second. This makes dictionary and brute-force attacks very effective against SHA-256-hashed passwords.
For passwords, always use a purpose-built password hashing function instead:
- bcrypt — adaptive, deliberately slow, widely supported
- Argon2 — winner of the Password Hashing Competition (2015), memory-hard
- PBKDF2 — NIST-approved, uses SHA-256 internally with configurable iterations
- scrypt — memory-hard, good for cryptocurrency key derivation
⚠️ Key rule: Never use a plain SHA hash (including SHA-256 or SHA-512) directly for storing user passwords. Always use bcrypt, Argon2, or PBKDF2.
Decision Guide: Which Algorithm Should You Use?
| Use Case | Recommended Algorithm | Reason |
|---|---|---|
| General file checksum | SHA-256 | Secure, fast, universally supported |
| HTTPS / TLS certificate | SHA-256 | Industry standard; required by all browsers |
| JWT signing | SHA-256 (HS256/RS256) | Best security/performance balance |
| Password storage | bcrypt / Argon2 | SHA functions are too fast for passwords |
| Blockchain / cryptocurrency | SHA-256 | Protocol standard for Bitcoin; FIPS compliant |
| High-security digital signatures | SHA-512 | Larger digest = greater security margin |
| Legacy system compatibility | MD5 (checksums only) | Never for security; only for non-adversarial checks |
| API request signing (HMAC) | HMAC-SHA-256 | Standard for OAuth, AWS Signature v4, etc. |
Try It Live: Generate Hashes Instantly
You can generate and compare SHA-256, MD5, and SHA-512 hashes for any text directly in your browser using NexTools' free hash generators. All computations run client-side — your input never leaves your device:
Paste any text and compare the output lengths and formats side by side to see the difference for yourself.
Key Takeaways
- 🔴 MD5 is cryptographically broken. Avoid it for any security purpose. Fine for quick, non-adversarial checksums.
- 🟢 SHA-256 is the go-to choice for virtually every modern security application. Well-supported, FIPS-compliant, and unbroken.
- 🟡 SHA-512 offers a higher security margin and can be faster on 64-bit systems. Use it when handling highly sensitive data or operating in environments that demand the maximum digest length.
- 🛑 For passwords specifically, skip SHA entirely and use bcrypt, Argon2, or PBKDF2.
The bottom line: SHA-256 is your safe default for virtually everything. Reach for SHA-512 when security requirements demand it, and keep MD5 firmly in the "legacy compatibility only" bucket.