You download a file. How do you know it wasn't tampered with during transit? You store passwords in a database. How do you verify logins without keeping passwords in plaintext? You sign a document digitally. How does the recipient know it hasn't been altered?
The answer to all three questions is the same: cryptographic hash functions.
Hashing is one of the most fundamental operations in computing, but it's also one of the most misunderstood. This guide explains what hashes are, how they work, the practical differences between MD5 and SHA-256, and when each is appropriate.
What Is a Hash?
A hash function takes an input of any size — a file, a string of text, an entire database — and produces a fixed-size output called a hash value, hash digest, or simply a hash.
The key properties of a cryptographic hash function are:
- Deterministic. The same input always produces the same hash. Feed the same file into SHA-256 a million times, you get the same 64-character hex string every time.
- Fixed-length output. MD5 always produces a 128-bit (32 hex character) hash. SHA-256 always produces a 256-bit (64 hex character) hash. It doesn't matter if the input is 1 byte or 1 terabyte.
- One-way. You cannot reverse a hash to recover the original input. Given a hash value, there's no mathematical way to compute what input produced it (other than trying every possible input).
- Avalanche effect. A tiny change in the input — even flipping a single bit — produces a completely different hash. "Hello" and "hello" produce entirely unrelated hash values.
- Collision resistance. It should be computationally infeasible to find two different inputs that produce the same hash.
Here's a concrete example. The string "FileMuncher" hashed with different algorithms:
| Algorithm | Hash Value |
|---|---|
| MD5 | a7b3c1d9e4f5a6b7c8d9e0f1a2b3c4d5 |
| SHA-1 | 2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b |
| SHA-256 | 4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e |
Change a single character — "FileMunches" instead of "FileMuncher" — and every hash changes completely. There's no pattern, no similarity, no way to predict the new hash from the old one.
MD5: Fast, Ubiquitous, and Broken
MD5 was designed by Ronald Rivest in 1991. It produces a 128-bit hash and was widely adopted across the computing industry for everything from file integrity checking to password storage to digital certificates.
How MD5 Works (Simplified)
MD5 processes input in 512-bit blocks through four rounds of operations involving bitwise logic, modular addition, and predefined constants. Each block's output feeds into the processing of the next block. The final state after all blocks are processed becomes the 128-bit hash.
The Problem with MD5
MD5 is cryptographically broken. In 2004, Chinese researchers demonstrated practical collision attacks — methods to generate two different inputs that produce the same MD5 hash. Since then, the attacks have gotten dramatically more efficient:
- 2004: First collision demonstrated (required significant computation)
- 2008: Researchers created a rogue CA certificate using MD5 collisions, demonstrating real-world attack potential
- 2012: The Flame malware exploited MD5 collisions to forge Windows Update signatures
- 2017: Google's SHAttered project demonstrated the first practical SHA-1 collision (different algorithm, same category of vulnerability, showing the progression of attacks)
Today, generating MD5 collisions takes seconds on consumer hardware. This means MD5 cannot be trusted for any security-sensitive purpose.
When MD5 Is Still Acceptable
Despite being broken for security purposes, MD5 remains useful for non-security applications:
- Checksums for data integrity (non-adversarial) — verifying that a file wasn't corrupted during download or copy, where you trust the source providing the checksum
- Hash tables and data deduplication — using hashes as keys for fast lookups where collision attacks aren't a concern
- Cache invalidation — generating ETags or cache keys based on content
- Legacy system compatibility — interacting with systems that only support MD5
The critical distinction: MD5 is fine when you're protecting against accidental corruption. It's broken when you're protecting against intentional manipulation.
SHA-256: The Current Standard
SHA-256 is part of the SHA-2 family, designed by the NSA and published by NIST in 2001. It produces a 256-bit hash and is the current standard for security-sensitive applications.
Why SHA-256 Is Stronger
The strength difference between MD5 and SHA-256 comes down to both design and output size:
- Larger output space. SHA-256 produces 2^256 possible hash values versus MD5's 2^128. To put this in perspective: 2^256 is approximately the number of atoms in the observable universe squared. The probability of an accidental collision is essentially zero.
- No known practical attacks. As of 2026, no collision attacks against SHA-256 have been demonstrated. Theoretical attacks exist but require computational resources that won't be available for decades (if ever, without quantum computers).
- Stronger internal structure. SHA-256 uses a Merkle-Damgard construction with a more robust compression function than MD5, with 64 rounds of processing per block versus MD5's effectively 4 rounds of 16 operations.
SHA-256 Use Cases
SHA-256 is appropriate for:
- File integrity verification in adversarial contexts (software distribution, evidence handling)
- Digital signatures and certificate generation
- Blockchain and cryptocurrency (Bitcoin's proof-of-work is based on SHA-256)
- Password hashing (as a component — see caveats below)
- HMAC construction for message authentication
- Compliance requirements (NIST, FIPS 140-2, PCI DSS all mandate SHA-256 or stronger)
MD5 vs SHA-256: Direct Comparison
| Property | MD5 | SHA-256 |
|---|---|---|
| Output size | 128 bits (32 hex chars) | 256 bits (64 hex chars) |
| Speed | Faster | Slower (roughly 2-3x) |
| Collision resistance | Broken | No known attacks |
| Pre-image resistance | Weakened | Strong |
| Year published | 1991 | 2001 |
| NIST status | Deprecated | Approved |
| Suitable for security | No | Yes |
| Suitable for checksums | Yes (non-adversarial) | Yes |
Speed vs Security Trade-off
MD5 is faster than SHA-256 — roughly 2-3x faster on most hardware. This speed advantage is sometimes cited as a reason to prefer MD5 for non-security applications. In practice, the speed difference is negligible for typical use cases. Hashing a 100MB file takes milliseconds with either algorithm on modern hardware. The speed difference matters only at extreme scale (billions of hashes per second in database systems or network packet inspection).
Ironically, for password hashing, both MD5 and SHA-256 are too fast. Specialized password hashing algorithms like bcrypt, scrypt, and Argon2 are intentionally slow to resist brute-force attacks.
Practical Use Cases
File Integrity Verification
The most common use case for hashing is verifying that a file hasn't been altered. Software distributors publish hash values alongside their downloads. After downloading, you hash the file locally and compare.
If you're verifying a download from a trusted source (protecting against corruption, not a nation-state adversary), MD5 is adequate. If you're verifying evidence in a legal proceeding or software in a supply-chain security context, use SHA-256.
You can generate hashes for any file using FileMuncher's Hash Generator — it runs entirely in your browser, so the file you're hashing never leaves your device. This is particularly relevant when hashing sensitive files, since cloud-based hash tools would require uploading the very file you're trying to verify.
Password Storage
Passwords should never be stored in plaintext. The standard approach is to store a hash of the password. When a user logs in, you hash their input and compare it to the stored hash.
However, simply hashing passwords with MD5 or SHA-256 is insufficient. You need:
- A slow hash function — bcrypt, scrypt, or Argon2 (not MD5 or SHA-256)
- A unique salt — random data mixed into each password before hashing to prevent rainbow table attacks
- Sufficient work factor — the hash function should take at least 100ms to compute, making brute-force attacks impractical
SHA-256 is sometimes used as a pre-hashing step before bcrypt (to handle passwords longer than bcrypt's 72-byte limit), but it's never used alone for password storage.
Data Deduplication
Storage systems and backup tools use hashes to identify duplicate files without comparing file contents byte-by-byte. Hash every file, compare the hashes. Identical hashes (almost certainly) mean identical files.
For deduplication, MD5 is commonly used because speed matters and the scenario is non-adversarial — you're not worried about an attacker crafting colliding files in your backup system. SHA-256 works equally well if you prefer the extra assurance.
Digital Signatures
When you digitally sign a document, you're not encrypting the entire document with your private key — that would be prohibitively slow. Instead, you hash the document and sign the hash. The recipient hashes the document independently and verifies that your signature matches their hash.
This requires collision resistance. If an attacker could create a different document with the same hash as the one you signed, your signature would validate a document you never approved. SHA-256 is the minimum standard for digital signatures. MD5 must never be used.
Content Addressing
Systems like Git, IPFS, and Docker use hashes as content identifiers. The hash of a piece of content becomes its address. This ensures content integrity by design — if the content changes, the address changes.
Git historically used SHA-1 and is migrating to SHA-256. IPFS uses SHA-256 by default. These systems require collision resistance because an attacker who could create colliding content could potentially substitute malicious code.
Encoding and Data Transformation
Hash generation often goes hand-in-hand with other data transformation tasks. If you're working with hashes, you may also need to encode or decode data in formats like Base64, URL encoding, or hex — common when transmitting hashes in URLs, APIs, or configuration files. Similarly, generating UUIDs alongside hashes is common in systems that need both unique identifiers and integrity verification.
Beyond MD5 and SHA-256
The hash algorithm landscape extends beyond these two:
SHA-1 — 160-bit output. Broken for collision resistance since 2017 (Google's SHAttered attack). Deprecated for security use but still present in legacy systems. Git is the most prominent user still transitioning away.
SHA-384 and SHA-512 — Larger variants of the SHA-2 family. SHA-512 is actually faster than SHA-256 on 64-bit processors because its internal operations are native 64-bit. Used when 256 bits feels insufficient (it isn't for any practical purpose, but compliance requirements sometimes mandate larger hashes).
SHA-3 (Keccak) — A completely different design from SHA-2, selected through a public competition by NIST in 2012. Provides an alternative if SHA-2 is ever broken, since a flaw in SHA-2's design wouldn't affect SHA-3. Not widely adopted yet because SHA-2 remains secure.
BLAKE2 and BLAKE3 — Modern hash functions designed for speed. BLAKE3 is significantly faster than SHA-256 while maintaining equivalent security properties. Increasingly popular in newer systems but not yet as universally supported as SHA-256.
Choosing the Right Hash Algorithm
Here's a practical decision framework:
Use MD5 when:
- You need a quick checksum for non-adversarial integrity checking
- You're interfacing with a legacy system that only supports MD5
- Performance at extreme scale matters more than collision resistance
- The hash is not used for any security purpose
Use SHA-256 when:
- Security matters at all
- You're verifying file integrity in an adversarial context
- Compliance standards require it (NIST, PCI DSS, HIPAA)
- You're implementing digital signatures or certificates
- You're building a new system and have free choice (SHA-256 should be the default)
Use a specialized algorithm when:
- Hashing passwords (use Argon2, bcrypt, or scrypt)
- Maximum speed is required with modern security (consider BLAKE3)
- You need a MAC/authentication code (use HMAC-SHA256)
Frequently Asked Questions
Can you "decrypt" a hash to get the original input?
No. Hash functions are one-way by design. There is no mathematical operation that reverses a hash. Attackers use brute force (trying every possible input) or rainbow tables (precomputed hash-to-input mappings) to find inputs that produce a known hash — but this isn't decryption, it's guessing.
Is SHA-256 "twice as secure" as SHA-128 would be?
Security doesn't scale linearly with bit length. Each additional bit doubles the number of possible hash values. SHA-256 has 2^128 times more possible outputs than a hypothetical SHA-128 (which doesn't exist, but for illustration). That's not twice as many — it's 340 undecillion times as many.
Will quantum computers break SHA-256?
Grover's algorithm would reduce SHA-256's effective security from 256 bits to 128 bits against pre-image attacks. This is still considered secure. Quantum computers pose a much more serious threat to asymmetric encryption (RSA, ECC) than to hash functions.
Why do some websites still use MD5?
Inertia. MD5 is deeply embedded in legacy systems, protocols, and codebases. Migrating away from MD5 requires updating databases, changing APIs, and potentially breaking backward compatibility. Many organizations prioritize new MD5-free implementations while slowly phasing out legacy uses.
Is it safe to hash sensitive files using an online tool?
Only if the tool processes your file locally. Cloud-based hash generators require you to upload the file you want to hash — which defeats the purpose if you're hashing it for integrity verification of sensitive content. FileMuncher's Hash Generator runs entirely in your browser, so your file never leaves your device.
Need to generate a hash? Try FileMuncher's Hash Generator — supports MD5, SHA-1, SHA-256, and SHA-512, all processed locally in your browser.