Understanding Hash Functions: MD5, SHA, and Security Best Practices

TL;DR

Hash functions convert data of any size into a fixed-size string (digest). MD5 (128-bit) and SHA-1 (160-bit) are deprecated for security but still used for checksums. SHA-256 (256-bit) and SHA-512 (512-bit) are current standards. Use SHA-256+ for security-sensitive applications; MD5/SHA-1 only for non-security checksums. For passwords, use specialized algorithms like bcrypt or Argon2, not plain hashes. Key Facts:

MD5 produces a 32-character hex string (128 bits)
SHA-256 produces a 64-character hex string (256 bits)
Collision attacks make MD5 and SHA-1 unsuitable for security
Hashing is one-way; you cannot "decrypt" a hash

---

What is a Hash Function?

A cryptographic hash function is a mathematical algorithm that takes input data of any size and produces a fixed-size output (called a digest, hash, or checksum). Hash functions have these properties:

Core Properties

Property	Description
Deterministic	Same input always produces same output
Fixed output	Output size is constant regardless of input size
One-way	Cannot reverse the hash to get original data
Avalanche effect	Small input change = completely different output
Collision resistant	Hard to find two inputs with same hash

Example

Input: "Hello" MD5: 8b1a9953c4611296a827abf8c47804d7 Input: "hello" (lowercase h) MD5: 5d41402abc4b2a76b9719d911017c592

One character change = completely different hash

Generate hashes: Free Hash Generator →

---

Common Hash Algorithms

MD5 (Message Digest 5)

Specification	Value
Output size	128 bits (32 hex chars)
Created	1991
Status	Deprecated for security
Speed	Very fast

Example: d41d8cd98f00b204e9800998ecf8427e (empty string) Use cases today:

File integrity checksums (non-security)
Cache keys
Deduplication

DO NOT use for: Password storage, digital signatures, security certificates.

SHA-1 (Secure Hash Algorithm 1)

Specification	Value
Output size	160 bits (40 hex chars)
Created	1995
Status	Deprecated for security
Speed	Fast

Example: da39a3ee5e6b4b0d3255bfef95601890afd80709 (empty string)

SHA-1 collision was demonstrated in 2017 (SHAttered attack). Major browsers and CAs have deprecated SHA-1 certificates.

SHA-256 (SHA-2 Family)

Specification	Value
Output size	256 bits (64 hex chars)
Created	2001
Status	Current standard
Speed	Moderate

Example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (empty string) Use cases:

SSL/TLS certificates
Code signing
Blockchain (Bitcoin)
File verification
Digital signatures

SHA-512 (SHA-2 Family)

Specification	Value
Output size	512 bits (128 hex chars)
Created	2001
Status	Current standard
Speed	Faster than SHA-256 on 64-bit systems

Use cases:

High-security applications
When longer hash is preferred
64-bit optimized systems

SHA-3 (Keccak)

Specification	Value
Output size	224/256/384/512 bits
Created	2015
Status	Latest standard
Speed	Comparable to SHA-2

SHA-3 uses a completely different internal structure (sponge construction) than SHA-2. It's a backup if SHA-2 is ever compromised.

---

Comparison Table

Algorithm	Output Size	Security	Speed	Use Case
MD5	128 bits	Broken	Fastest	Checksums only
SHA-1	160 bits	Broken	Fast	Legacy systems
SHA-256	256 bits	Secure	Moderate	General security
SHA-512	512 bits	Secure	Fast (64-bit)	High security
SHA-3	Variable	Secure	Moderate	Future-proofing

---

Practical Use Cases

1. File Integrity Verification

When downloading software, verify the file wasn't corrupted or tampered with:

Linux/Mac
sha256sum ubuntu.iso
Compare with published hash on website

Windows (PowerShell)
Get-FileHash ubuntu.iso -Algorithm SHA256

2. Data Deduplication

// Hash file contents to detect duplicates
const hash1 = sha256(file1Contents);
const hash2 = sha256(file2Contents);
if (hash1 === hash2) {
  console.log('Files are identical');
}

3. Cache Keys

// Generate cache key from request parameters
const cacheKey = md5(JSON.stringify(requestParams));
const cached = cache.get(cacheKey);

4. Commit Identifiers (Git)

Git uses SHA-1 for commit hashes:

commit a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0

5. Blockchain

Bitcoin uses double SHA-256 for mining and block verification:

blockHash = SHA256(SHA256(blockHeader))

---

Password Hashing: Special Considerations

Why Plain Hashes Are NOT Enough

Password: "password123" SHA-256: ef92b778bafe771e89245b89ecbc08a44a4e166c06659911881f383d4473e94f

Problem: Same password = same hash Attackers use precomputed "rainbow tables" to crack common passwords

What to Use Instead

Algorithm	Purpose	Notes
bcrypt	Password hashing	Built-in salt, adjustable cost
Argon2	Password hashing	Winner of PHC, memory-hard
scrypt	Password hashing	Memory-hard
PBKDF2	Key derivation	Older but widely supported

Key features for password hashing:

Salt - Random data added to prevent rainbow tables
Cost factor - Adjustable slowness to resist brute force
Memory hardness - Requires significant RAM (Argon2, scrypt)

Example with bcrypt

const bcrypt = require('bcrypt');
// Hashing a password
const password = 'userPassword123';
const saltRounds = 10;
const hash = await bcrypt.hash(password, saltRounds);
// Result: $2b$10$N9qo8uLOickgx2ZMRZoMye...// Verifying a password
const isMatch = await bcrypt.compare(password, hash);

---

Security Best Practices

DO:

Use SHA-256 or SHA-512 for general cryptographic purposes
Use bcrypt/Argon2 for password storage
Use HMAC when you need keyed hashing
Verify file hashes before running downloaded software
Keep updated on algorithm deprecations

DON'T:

Don't use MD5/SHA-1 for security-sensitive applications
Don't store plain hashes of passwords
Don't create your own hash functions
Don't assume hashing = encryption (hashing is one-way)
Don't ignore salt when hashing passwords

---

Hashing in Code

JavaScript (Browser)

async function sha256(message) {
  const msgBuffer = new TextEncoder().encode(message);
  const hashBuffer = await crypto.subtle.digest('SHA-256', msgBuffer);
  const hashArray = Array.from(new Uint8Array(hashBuffer));
  return hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
}const hash = await sha256('Hello World');
// "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e"

Node.js

const crypto = require('crypto');const hash = crypto.createHash('sha256')
  .update('Hello World')
  .digest('hex');

Python

import hashlibhash = hashlib.sha256(b'Hello World').hexdigest()

PHP

$hash = hash('sha256', 'Hello World');

---

HMAC: Keyed Hashing

HMAC (Hash-based Message Authentication Code) adds a secret key to the hashing process, providing both integrity and authentication.

const crypto = require('crypto');const hmac = crypto.createHmac('sha256', 'secretKey')
  .update('message')
  .digest('hex');

Use HMAC when:

Verifying API requests
Creating secure tokens
Message authentication
Webhook signatures

---

Hash Collisions Explained

A collision occurs when two different inputs produce the same hash output.

MD5 Collision Example

Researchers have created two different PDF files with identical MD5 hashes. This is why MD5 cannot be trusted for security.

Collision Resistance Levels

Algorithm	Collision Found?	Year
MD5	Yes	2004
SHA-1	Yes	2017
SHA-256	No	-
SHA-512	No	-

---

Quick Reference

When to Use Each Algorithm

Scenario	Recommended
File checksums (non-security)	MD5 or SHA-256
Software verification	SHA-256
Password storage	bcrypt or Argon2
API authentication	HMAC-SHA256
SSL/TLS certificates	SHA-256+
Blockchain/crypto	SHA-256 or SHA-3
Git commits	SHA-1 (legacy)

Free Tools

Generate and verify hashes instantly:

Hash Generator → - MD5, SHA-1, SHA-256, SHA-512
Password Generator → - Create strong passwords

---

Conclusion

Hash functions are fundamental to modern security and data integrity. While MD5 and SHA-1 served us well historically, they should only be used for non-security purposes today. For any security-sensitive application, use SHA-256 or stronger. For passwords specifically, always use specialized algorithms like bcrypt or Argon2. Key takeaways:

Hashing is one-way - you cannot "unhash"
MD5/SHA-1 are broken for security
SHA-256 is the current standard
Use bcrypt/Argon2 for passwords, not plain hashes
Always verify downloaded files with their published hashes

Generate hashes now: Hash Generator →

Understanding Hash Functions: MD5, SHA, and Security Best Practices

Understanding Hash Functions: MD5, SHA, and Security Best Practices

TL;DR

What is a Hash Function?

Core Properties

Example

Common Hash Algorithms

MD5 (Message Digest 5)

SHA-1 (Secure Hash Algorithm 1)

SHA-256 (SHA-2 Family)

SHA-512 (SHA-2 Family)

SHA-3 (Keccak)

Comparison Table

Practical Use Cases

1. File Integrity Verification

Linux/Mac

Compare with published hash on website

Windows (PowerShell)

2. Data Deduplication

3. Cache Keys

4. Commit Identifiers (Git)

5. Blockchain

Password Hashing: Special Considerations

Why Plain Hashes Are NOT Enough

What to Use Instead

Example with bcrypt

Security Best Practices

DO:

DON'T:

Hashing in Code

JavaScript (Browser)

Node.js

Python

PHP

HMAC: Keyed Hashing

Hash Collisions Explained

MD5 Collision Example

Collision Resistance Levels

Quick Reference

When to Use Each Algorithm

Free Tools

Conclusion

Related Articles