π Guidesβ’β’10 min read
Hash Functions Explained: MD5, SHA, and More
Understanding hash functions: how they work, different algorithms, security considerations, and practical applications.
By Tools View Team
Tools View Team
#hashing#security#cryptography#md5#sha
Hash Functions Explained: MD5, SHA, and More
Hash functions are fundamental to modern security. Understand how they work and when to use each one.
What is a Hash?
A hash function takes input data (any size) and produces a fixed-size string (the hash):
Input: "Hello World"
Hash (SHA-256): 7f83b1657ff1fc53b92dc18148a1d65dfc2d4b1fa3d677284addd200126d9069
Properties of Secure Hashes
β Deterministic - Same input always produces same hash β Fast - Quick to compute β Avalanche Effect - Tiny change produces completely different hash β One-way - Can't reverse engineer input from hash β Collision Resistant - Nearly impossible to find two inputs with same hash
Common Hash Algorithms
MD5 (Not Secure) β
- Output: 128-bit (32 hex characters)
- Speed: Very fast
- Security: Broken - do not use for security
- Use case: Legacy systems only
SHA-1 (Deprecated) β οΈ
- Output: 160-bit (40 hex characters)
- Speed: Fast
- Security: Deprecated - vulnerabilities found
- Use case: Avoid, use SHA-256 instead
SHA-256 (Recommended) β
- Output: 256-bit (64 hex characters)
- Speed: Good
- Security: Strong - current standard
- Use case: Passwords, checksums, blockchain
SHA-512 (Most Secure) β
- Output: 512-bit (128 hex characters)
- Speed: Slightly slower
- Security: Very strong
- Use case: High-security applications
Comparison
| Algorithm | Output | Security | Speed | Best For |
|---|---|---|---|---|
| MD5 | 128-bit | β Broken | Very Fast | Legacy only |
| SHA-1 | 160-bit | β οΈ Deprecated | Fast | Legacy only |
| SHA-256 | 256-bit | β Good | Good | General use |
| SHA-512 | 512-bit | β Excellent | Good | High security |
Use Cases
1. Password Hashing
// NEVER store passwords as plain SHA-256
// ALWAYS use bcrypt or scrypt
const password = "user_password";
const hashed = await bcrypt.hash(password, 10);
2. File Integrity
Original file: data.zip
SHA-256: abc123...
Downloaded file SHA-256: abc123...
β File intact - hashes match
3. Data Deduplication
// Store files by hash
fileHash = sha256(fileContent);
if (files[fileHash]) {
// File already exists - don't store again
} else {
// New file - store it
files[fileHash] = fileContent;
}
4. API Signatures
Authorization: signature=sha256(request_body + secret)
β Common Mistakes
Mistake 1: Using MD5 for Security
// Don't do this
password_hash = md5(password);
Mistake 2: Not Using Salt for Passwords
// Wrong
hash = sha256(password);
// Right
hash = bcrypt.hash(password, salt);
Mistake 3: Using Hash Instead of Encryption
Hashing β Encryption
Hashing: one-way, good for verification
Encryption: two-way, good for secrecy
Hash vs. Encryption
| Property | Hash | Encryption |
|---|---|---|
| Reversible | No | Yes |
| Use case | Verification | Secrecy |
| Password storage | β Yes | β No |
| API keys | β No | β Yes |
Practical Examples
JavaScript
const crypto = require('crypto');
const hash = crypto.createHash('sha256')
.update('Hello World')
.digest('hex');
Python
import hashlib
hash = hashlib.sha256(b'Hello World').hexdigest()
Summary
- β Use SHA-256 for most applications
- β Use bcrypt for passwords
- β Avoid MD5 and SHA-1
- β Never assume hashing = security
- β Always combine with proper practices
Generate hashes instantly with our Hash Generator tool.