Cryptographic Hash Functions Explained: SHA-256, MD5 & More

Understanding hash functions, their properties, and when to use different algorithms.

basicscryptographysecurity

Related tool

SHA Hash - Generate SHA-1, SHA-256, SHA-384, SHA-512 hashes

What is a Hash Function?

A hash function takes input data of any size and produces a fixed-size output (the "hash" or "digest").

Key Properties

  • Deterministic: Same input always produces same output
  • Fast: Quick to compute for any input size
  • One-way: Cannot reverse hash to get input
  • Collision-resistant: Hard to find two inputs with same hash
  • Avalanche effect: Small input change = completely different hash

Common Algorithms

AlgorithmOutput SizeStatus
MD5128 bits❌ Broken
SHA-1160 bits❌ Broken
SHA-256256 bits✅ Secure
SHA-384384 bits✅ Secure
SHA-512512 bits✅ Secure
SHA-3Variable✅ Secure
BLAKE3Variable✅ Secure, Fast

Example: SHA-256

Input: "Hello"
SHA-256: 185f8db32271fe25f561a6fc938b2e264306ec304eda518007d1764826381969

Input: "hello" (just lowercase)
SHA-256: 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824


Completely different output!

Use Cases

Use CaseRecommended
Password storagebcrypt, Argon2 (NOT raw SHA)
File integritySHA-256
Digital signaturesSHA-256 or SHA-3
Hash tablesNon-crypto (MurmurHash)
ChecksumsSHA-256 or BLAKE3
Git commitsSHA-1 (legacy) → SHA-256

Frequently Asked Questions

Common questions about this topic

Cryptographic hash functions have specific security properties: pre-image resistance (can't find input from hash), second pre-image resistance (can't find different input with same hash), and collision resistance (can't find any two inputs with same hash). Regular hash functions (like for hash tables) don't need these properties.

MD5 is cryptographically broken - collisions can be generated quickly. Never use it for security (passwords, signatures, certificates). It's acceptable only for non-security checksums like detecting accidental corruption, but SHA-256 is preferred even for that.

A collision occurs when two different inputs produce the same hash output. Since hash outputs are fixed-size and inputs are unlimited, collisions must exist (pigeonhole principle). Cryptographic hashes make finding collisions computationally infeasible - but MD5 and SHA-1 have been broken.

Related Articles

Continue learning with these related guides

SHA Hash

Password Hashing Done Right: bcrypt, Argon2 & Security

Why regular hashing is wrong for passwords and how to properly secure user credentials.