Hash Functions Explained: From MD5 to SHA-256 and Beyond

A hash function transforms input of arbitrary size into a fixed-size output. Cryptographic hash functions add security properties: preimage resistance (cannot reverse a hash), second preimage resistance (cannot find different input with same hash), collision resistance (cannot find any two inputs with same hash), and the avalanche effect (1-bit input change flips ~50% of output bits).

MD5 produces 128-bit hashes and is now cryptographically broken since 2004. Collisions can be generated in seconds on ordinary hardware. SHA-1 (160-bit) was broken in 2017 by Google/CWI. SHA-256 (256-bit) is the current industry standard with no practical attacks demonstrated; it requires approximately 2^128 operations to find a collision. SHA-512 is actually faster on 64-bit processors. SHA-3 (Keccak) uses a different internal structure as a backup to SHA-2.

For password hashing, general-purpose hashes are too fast (billions of guesses per second on GPUs). Use bcrypt (configurable work factor, ~250ms per hash at cost 12) or Argon2id (winner of Password Hashing Competition, configurable time/memory/parallelism costs, requires significant RAM making GPU attacks expensive). Never use MD5, SHA-1, or SHA-256 for passwords. HMAC combines hashes with secret keys for message authentication. Use our Hash Generator tool to compute hashes for verification purposes.