100% Private

Hash Functions Explained: MD5, SHA-256, SHA-512 for Developers

A complete guide to cryptographic hash functions covering how they work, when to use each algorithm, security considerations, and practical implementation examples.

What Are Hash Functions?

A hash function is a mathematical algorithm that takes input data of any size and produces a fixed-size output (the "hash" or "digest"). Think of it as a fingerprint for data.

Key Characteristics

  • Deterministic: Same input always produces same output
  • Fixed length: Output size is constant regardless of input size
  • One-way: Cannot reverse the hash to find the original input
  • Unique: Different inputs should produce different outputs
  • Fast: Computing the hash is quick

Simple Example

Input: "Hello"
SHA-256: 185f8db32271fe25f561a6fc938b2e264306ec304eda518007d1764826381969

Input: "Hello!"
SHA-256: 334d016f755cd6dc58c53a86e183882f8ec14f52fb05345887c8a5edd42c87b7

// One character change = completely different hash

Properties of Good Hash Functions

1. Pre-image Resistance

Given a hash H, it should be computationally infeasible to find any input m that produces H.

// Given only this hash:
7f83b1657ff1fc53b92dc18148a1d65dfc2d4b1fa3d677284addd200126d9069

// It's impossible to figure out the original was "Hello World"

2. Second Pre-image Resistance

Given an input m1, it should be infeasible to find another input m2 that produces the same hash.

3. Collision Resistance

It should be infeasible to find any two different inputs that produce the same hash.

// This should never happen (but does for MD5 and SHA-1):
hash("input A") === hash("input B")
where "input A" !== "input B"

4. Avalanche Effect

Small changes in input should cause dramatic changes in output:

MD5("The quick brown fox") = 9e107d9d372bb6826bd81d3542a419d6
MD5("The quick brown Fox") = 71a55abcb2fc48e8d92c5a24d6f97f4c

// One capital letter changed 50% of the hash digits

Common Hash Algorithms

MD5 (Message Digest 5)

Output size128 bits (32 hex characters)
Created1991
StatusBroken - Do not use for security
SpeedVery fast

Use for: Checksums, non-security fingerprints, legacy systems

Don't use for: Passwords, digital signatures, security applications

Generate MD5 hashes with our MD5 Generator.

SHA-1 (Secure Hash Algorithm 1)

Output size160 bits (40 hex characters)
Created1995
StatusDeprecated - Known collision attacks
SpeedFast

Use for: Git commits (transitioning to SHA-256), legacy compatibility

Don't use for: New security applications

Generate SHA-1 hashes with our SHA-1 Generator.

SHA-256 (SHA-2 Family)

Output size256 bits (64 hex characters)
Created2001
StatusSecure - Recommended
SpeedModerate

Use for: Digital signatures, certificates, Bitcoin, file integrity

Recommended for: Most security applications

Generate SHA-256 hashes with our SHA-256 Generator.

SHA-512 (SHA-2 Family)

Output size512 bits (128 hex characters)
Created2001
StatusSecure - Maximum security
SpeedFaster on 64-bit systems than SHA-256

Use for: High-security applications, when SHA-256 isn't enough

Generate SHA-512 hashes with our SHA-512 Generator.

Algorithm Comparison

AlgorithmOutputSecuritySpeedUse Case
MD5128 bitBrokenFastestChecksums only
SHA-1160 bitWeakFastLegacy systems
SHA-256256 bitStrongModerateGeneral security
SHA-512512 bitVery StrongFast (64-bit)High security

Use Cases

1. File Integrity Verification

Verify downloaded files haven't been corrupted or tampered with:

# Download page shows:
SHA-256: 7f83b1657ff1fc53b92dc18148a1d65dfc2d4b1fa3d677284addd200126d9069

# After download, verify:
sha256sum downloaded-file.zip
# Should match the published hash

2. Password Storage

Store password hashes instead of plain passwords:

// Don't store: "mypassword123"
// Store: hash("mypassword123" + salt)

// Note: For passwords, use specialized functions like bcrypt, Argon2

3. Data Deduplication

Identify duplicate files by comparing hashes:

files = [file1, file2, file3, file4]
hashes = {}

for file in files:
    h = sha256(file.content)
    if h in hashes:
        print(f"{file.name} is duplicate of {hashes[h]}")
    else:
        hashes[h] = file.name

4. Digital Signatures

Hash the document, then sign the hash with a private key:

document_hash = sha256(document)
signature = sign(document_hash, private_key)

// Recipient verifies:
calculated_hash = sha256(received_document)
is_valid = verify(signature, calculated_hash, public_key)

5. Data Structures

  • Hash tables: Fast key-value lookups
  • Bloom filters: Probabilistic set membership
  • Merkle trees: Efficient data verification (used in blockchain)

6. Version Control

Git uses SHA-1 (moving to SHA-256) to identify commits:

commit a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0
Author: Developer 
Date:   Mon Dec 1 10:00:00 2024

    Add new feature

Security Considerations

Hash Collisions

A collision occurs when two different inputs produce the same hash.

  • MD5: Practical collisions demonstrated in 2004. Can create colliding files in seconds.
  • SHA-1: First collision demonstrated in 2017 by Google ("SHAttered"). Cost: ~$100K in compute.
  • SHA-256: No known practical collisions. Theoretically possible but computationally infeasible.

Rainbow Tables

Precomputed tables of hash→input mappings for common passwords. Defense: use salts.

// Without salt - vulnerable to rainbow tables
hash("password123") → lookup in rainbow table → found!

// With salt - rainbow tables useless
hash("password123" + "x7Km9pQ2") → not in any rainbow table

Password Hashing

Don't use raw SHA-256 for passwords. Use specialized password hashing functions:

FunctionStatusNotes
Argon2RecommendedWinner of Password Hashing Competition
bcryptGoodWidely supported, battle-tested
scryptGoodMemory-hard, good for cryptocurrency
PBKDF2AcceptableUse high iteration count
SHA-256Bad for passwordsToo fast, no salt by default
MD5Never useBroken, too fast

Implementation Examples

JavaScript (Browser)

async function sha256(message) {
  const msgBuffer = new TextEncoder().encode(message);
  const hashBuffer = await crypto.subtle.digest('SHA-256', msgBuffer);
  const hashArray = Array.from(new Uint8Array(hashBuffer));
  return hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
}

// Usage
const hash = await sha256('Hello, World!');
console.log(hash);

Node.js

const crypto = require('crypto');

function sha256(data) {
  return crypto.createHash('sha256').update(data).digest('hex');
}

function sha512(data) {
  return crypto.createHash('sha512').update(data).digest('hex');
}

// File hash
const fs = require('fs');
function hashFile(path) {
  const fileBuffer = fs.readFileSync(path);
  return crypto.createHash('sha256').update(fileBuffer).digest('hex');
}

Python

import hashlib

def sha256(data):
    return hashlib.sha256(data.encode()).hexdigest()

def hash_file(filepath):
    sha256_hash = hashlib.sha256()
    with open(filepath, "rb") as f:
        for chunk in iter(lambda: f.read(4096), b""):
            sha256_hash.update(chunk)
    return sha256_hash.hexdigest()

Command Line

# macOS / Linux
echo -n "Hello" | sha256sum
sha256sum filename.txt

# Windows PowerShell
Get-FileHash filename.txt -Algorithm SHA256

Tools and Resources

MD5 Generator

Generate MD5 hashes for checksums.

Generate MD5
SHA-256 Generator

Generate secure SHA-256 hashes.

Generate SHA-256
SHA-512 Generator

Generate maximum-security SHA-512 hashes.

Generate SHA-512
SHA-1 Generator

Generate SHA-1 hashes for legacy use.

Generate SHA-1

Quick Reference

Which Hash to Use?
  • General security: SHA-256
  • Maximum security: SHA-512
  • Checksums only: MD5 (fast)
  • Passwords: Argon2 or bcrypt
Never Use For Security
  • MD5 (broken since 2004)
  • SHA-1 (broken since 2017)
  • CRC32 (not cryptographic)
  • Custom hash functions

Last updated: December 2024

All hash generators on ToolsDock use your browser's Web Crypto API. Your data never leaves your device.

Privacy Notice: This site works entirely in your browser. We don't collect or store your data. Optional analytics help us improve the site. You can deny without affecting functionality.