MD5 and SHA-256 are both cryptographic hash functions, but they serve very different purposes in modern applications. One is essentially retired for security purposes; the other remains one of the most widely used algorithms in the world. Understanding the difference — and knowing when to use neither — is fundamental security knowledge for every developer.
> Quick tool: Generate MD5 or SHA-256 hashes instantly with our free [MD5 Generator](/tools/md5-generator) — runs entirely in your browser, no data stored.
What is a Hash Function?
A cryptographic hash function takes an input of any size and produces a fixed-size output (called a hash, digest, or checksum) with four important properties:
Deterministic: The same input always produces the same hash.
One-way: Given a hash, it is computationally infeasible to determine the original input.
Avalanche effect: A tiny change to the input produces a completely different hash.
Collision resistant: It should be computationally infeasible to find two different inputs that produce the same hash.
These properties make hash functions useful for verifying data integrity, storing passwords, digital signatures, and many other security applications.
MD5: Overview
Advertisement
MD5 (Message Digest 5) was designed by Ronald Rivest in 1991. It produces a 128-bit hash, typically displayed as 32 hexadecimal characters.
Example: The string "Hello, World!" produces the MD5 hash 65a8e27d8879283831b664bd8b7f0ad4. You can verify this with our [MD5 Generator](/tools/md5-generator).
MD5 is fast — very fast. It can hash billions of values per second on modern hardware. This speed was originally a feature but is now primarily a liability for security applications.
MD5 is cryptographically broken. Researchers demonstrated practical collision attacks against MD5 in 2004. By 2008, attacks had advanced to the point where MD5 could no longer be trusted for any security-critical application. It is theoretically and practically possible to create two different inputs with the same MD5 hash.
SHA-256: Overview
SHA-256 is part of the SHA-2 (Secure Hash Algorithm 2) family, published by NIST in 2001. It produces a 256-bit hash, displayed as 64 hexadecimal characters.
SHA-256 is significantly slower than MD5 but remains cryptographically secure. No practical collision attacks have been found against SHA-256. It is used in Bitcoin mining, SSL/TLS certificates, code signing, and countless security protocols.
MD5 vs. SHA-256: Key Differences
| Property | MD5 | SHA-256 |
|---|---|---|
| Output size | 128 bits (32 hex chars) | 256 bits (64 hex chars) |
| Speed | Very fast | Moderate |
| Security status | **Broken** | Secure |
| Collision resistance | Defeated | Strong |
| Current use | Non-security checksums | Security-critical applications |
Where MD5 is Still Acceptable
Despite being broken for cryptographic purposes, MD5 is still appropriate for non-security checksum applications:
- File integrity checking (casual): Verifying that a file was not corrupted during download — not against an attacker, just against random data corruption.
- Non-security hash maps and caching: Using MD5 as a cache key or to identify files by content where security is not a concern.
- Legacy system compatibility: Interoperating with an existing system that uses MD5 where collision attacks are not a realistic threat.
Do not use MD5 for: password storage (ever), digital signatures, certificate generation, or any security-critical application.
Where SHA-256 Should Be Used
SHA-256 is appropriate for:
- File integrity verification: Downloads, software packages, container images. Most modern package managers (apt, brew, pip) use SHA-256 checksums.
- Digital signatures: SHA-256 is the standard hash used in RSA and ECDSA signature schemes.
- HMAC authentication: HMAC-SHA256 is used in API authentication headers, JWT signatures (HS256), and message authentication codes. See our [JWT guide](/blog/jwt-explained) for examples.
- Certificate fingerprinting: SSL/TLS certificates use SHA-256 for their fingerprint.
- Content addressing: Git (being migrated from SHA-1 to SHA-256) uses hash functions to address repository objects. Docker uses SHA-256 for image layers.
Neither: Password Hashing
Here is the most important point in this guide: neither MD5 nor SHA-256 should be used for password storage. Both are far too fast.
Password hashing requires a slow algorithm that is deliberately expensive to compute — making brute-force attacks impractical even with modern hardware. The correct algorithms for password hashing are:
bcrypt: Industry standard for many years. Includes a work factor that can be increased as hardware gets faster. Default work factor of 12 is currently recommended.
scrypt: Designed to be memory-hard as well as computationally expensive. Harder to accelerate with GPUs.
Argon2: The winner of the Password Hashing Competition (2015). The modern recommendation. Three variants: Argon2d (GPU resistant), Argon2i (side-channel resistant), Argon2id (balanced, recommended for most uses).
Using MD5 or SHA-256 for password storage is a critical vulnerability. Attackers with GPU clusters can crack billions of MD5-hashed passwords per second. Learn more in our [Password Security guide](/blog/password-security-guide).
Practical Examples
// Node.js - SHA-256
const crypto = require('crypto')
const hash = crypto.createHash('sha256').update('input').digest('hex')
// Python
import hashlib
hash = hashlib.sha256(b'input').hexdigest()For password hashing in Node.js, use the bcrypt library:
const bcrypt = require('bcrypt')
const hash = await bcrypt.hash(password, 12) // saltRounds = 12
const valid = await bcrypt.compare(inputPassword, storedHash)SHA-3 and the Future
SHA-3 (Keccak) was published in 2015 as NIST's next-generation hash function. While SHA-256 remains secure, SHA-3 provides a different internal design that could become important if weaknesses are discovered in SHA-2. SHA-3 has not widely replaced SHA-2 in practice but is available in most cryptographic libraries.
Frequently Asked Questions
Q: Can MD5 be reversed or cracked?
Not directly reversed — but attackers use rainbow tables (precomputed hash-to-input tables) and fast brute-force to crack MD5 hashes. This is why MD5 should never be used for passwords. For checksums, MD5 remains useful because casual corruption is not from adversarial attacks.
Q: How is SHA-256 used in Bitcoin?
Bitcoin uses SHA-256 twice (SHA-256d) to hash transaction data and create the proof-of-work for mining. The 256-bit output provides enormous security headroom. This is completely unrelated to password hashing — it is used for data integrity and consensus.
Q: Which is faster — MD5 or SHA-256?
MD5 is approximately 3–4× faster than SHA-256 on most hardware. For password hashing this is a drawback (faster = easier to brute-force). For file checksums, this speed advantage is why MD5 is still sometimes used when security is not a concern.
Q: Should I use SHA-256 or SHA-512?
SHA-512 produces a larger hash (512 bits vs 256 bits) and is actually faster than SHA-256 on 64-bit hardware. Both are considered secure. SHA-256 is more widely supported; SHA-512 may offer a small margin of future-proofing.
Conclusion
Use SHA-256 for file integrity, HMAC, digital signatures, and content addressing. Use Argon2 or bcrypt for passwords. Use MD5 only for non-security checksums where collision resistance does not matter. [ToolHub's MD5 Generator](/tools/md5-generator) provides both MD5 and SHA-256 hashing — useful for checksums, testing, and development.