Security • Published Jan 29, 2026

Understanding Hashing: Why MD5 is Dead and SHA-256 Rules

In the world of cybersecurity, a good hash is the difference between a secure password and a data breach. Here is what every developer needs to know about hashing algorithms.

Hashing is the process of taking an input (like a password or a file) and turning it into a fixed-size string of characters. It's a one-way street: you can turn a steak into ground beef, but you can't turn ground beef back into a steak.

Cryptography relies on this "one-way" property. If I give you the hash, you shouldn't be able to guess the original password.

1. The Fallen Hero: MD5

Message Digest algorithm 5 (MD5) was once the standard. It's fast—too fast.

The problem: Collisions.

A collision occurs when two different inputs produce the exact same hash. Researchers have found ways to generate two completely different PDF files that have the same MD5 hash. This means an attacker could trick your system into accepting a malicious file by making it look like a safe one.

Verdict: Never use MD5 for security. Use it only for non-critical checksums (like verifying a file download wasn't corrupted).

2. The Retired Veteran: SHA-1

SHA-1 (Secure Hash Algorithm 1) replaced MD5. But, like its predecessor, it fell victim to increased computing power. In 2017, Google announced the first practical collision attack against SHA-1.

Verdict: Do not use for new applications. Browsers have stopped accepting SHA-1 SSL certificates years ago.

3. The Current Standard: SHA-256

SHA-256 (part of the SHA-2 family) is the current gold standard. It produces a 256-bit hash that is exponentially harder to crack than MD5 or SHA-1.

It is used by:

Bitcoin: For mining and transaction verification.
SSL/TLS: securing HTTPS connections.
Digital Signatures: verifying software updates.

4. Passwords are Special

Even a strong hash like SHA-256 is fast. A modern GPU can calculate billions of SHA-256 hashes per second. This is bad for passwords.

If an attacker steals your database of hashed passwords, they can use a "Rainbow Table" to guess millions of passwords instantly.

The Fix: Salt + Slow Hashing.

For passwords, use algorithms designed to be slow, like Argon2, bcrypt, or PBKDF2. These force the computer to do extra work (thousands of iterations) for each guess, making brute-force attacks impractical.

Conclusion

If you're verifying a file, use SHA-256. If you're storing a password, use bcrypt. If you're using MD5... please stop.

Want to see what these hashes look like? Try our Hash Generator tool.