MD5, SHA-1, SHA-256: What Hash Functions Do and Which One to Use

Hash functions are everywhere in software: verifying file downloads, storing passwords, digital signatures, and blockchain. But not all hash functions are created equal. Here is what you need to know.

What Makes a Good Hash Function

A cryptographic hash takes any input and produces a fixed-size output (the hash). Good hashes have three properties: one-way (cannot reverse), collision-resistant (two inputs should not produce the same hash), and avalanche effect (small input change = completely different hash).

Algorithm Rundown

MD5 (128-bit): Broken. Collisions can be generated in seconds. Only use for non-security checksums like verifying a download completed without corruption.

SHA-1 (160-bit): Deprecated. Google demonstrated a practical collision attack in 2017. Migrate away if you are still using it.

SHA-256 (256-bit): Current standard. Used by Bitcoin, TLS certificates, and most modern systems. No known practical attacks.

SHA-512 (512-bit): Higher security margin. Slightly slower but preferred for long-term security.

Important: Hashing Is Not Password Storage

Plain SHA-256 is not suitable for password storage because it is fast — attackers can try billions of guesses per second. Use bcrypt, Argon2, or PBKDF2 with proper salting for passwords. These are intentionally slow to resist brute-force attacks.

This article was written by UnTrackedTools founder Alex Chen, based on real software security practices.