MD5 vs SHA-1 vs SHA-256: Which Hash Should You Use?

Cryptographic hash functions are one of the most used tools in software development, yet the choice between algorithms is often made carelessly — sometimes with serious security consequences.

Connect on LinkedIn →

What a Hash Function Does

A cryptographic hash takes input of any size and produces a fixed-size output (the digest). Key properties: deterministic (same input → same output), one-way (can't reverse to find input), avalanche effect (tiny input change → completely different output), collision resistance (infeasible to find two inputs with the same hash). When collision resistance is broken, many security guarantees collapse.

MD5: Broken for Security

MD5 produces 128-bit (32 hex character) hashes. Collision attacks were demonstrated in 2004 and were used to forge SSL certificates by 2008. Do not use MD5 for passwords, digital signatures, or certificate fingerprinting. It remains acceptable for non-security checksums where collision resistance is not required: accidental data corruption detection, cache keys, non-security deduplication.

SHA-1: Deprecated

SHA-1 produces 160-bit (40 hex character) hashes. Google's Project Zero demonstrated the first practical SHA-1 collision in 2017 (SHAttered). SHA-1 is deprecated by NIST, removed from TLS, and rejected by all certificate authorities. Do not use SHA-1 for any new applications. Migrate existing uses to SHA-256.

SHA-256: The Current Standard

SHA-256 produces 256-bit (64 hex character) hashes. No practical collision has been found. This is the recommended general-purpose hash algorithm. Use it for TLS certificates, code signing, HMAC message authentication, file integrity verification, and deriving keys with PBKDF2 or HKDF.

// SHA-256 in JavaScript (Web Crypto API)
async function sha256(message) {
  const data = new TextEncoder().encode(message);
  const hashBuffer = await crypto.subtle.digest('SHA-256', data);
  return Array.from(new Uint8Array(hashBuffer))
    .map(b => b.toString(16).padStart(2, '0')).join('');
}

SHA-512: Higher Security Margin

SHA-512 produces 512-bit (128 hex character) hashes. On modern 64-bit processors, SHA-512 is actually faster than SHA-256 for large inputs because it processes data in 64-bit blocks. Use it when you want a larger security margin — for high-value cryptographic keys or future-proofing against quantum computing advances.

Modern Alternatives: SHA-3 and BLAKE3

For new systems built in 2025 and beyond, two alternatives are worth knowing:

SHA-3 (Keccak) is the NIST-standardised successor to SHA-2, using a completely different sponge construction internally. SHA-3 is immune to length-extension attacks that affect SHA-2 in some HMAC-less signing contexts. SHA-3-256 produces the same 256-bit output as SHA-256 with different algorithmic properties — useful when you need diversity from SHA-2 in a high-assurance system.

BLAKE3 (2020) is a modern cryptographic hash function that is significantly faster than SHA-256 — often 4–10× faster on modern CPUs using SIMD parallelism — while maintaining strong security guarantees. It is gaining adoption in performance-sensitive applications like file integrity checking, content-addressable storage, and build systems. BLAKE3 is not a NIST standard but has received extensive cryptographic review.

For most developers, SHA-256 remains the practical default. It is universally supported, well-understood, and fast enough for nearly all use cases. Consider BLAKE3 for high-throughput pipelines where hashing is a measurable bottleneck.

Passwords: Use a Different Algorithm Entirely

None of the above should be used directly for passwords. SHA-256 is fast — great for checksums, terrible for passwords. An attacker with a GPU can try billions of SHA-256 guesses per second. Use a purpose-built slow algorithm: bcrypt (battle-tested, adjustable cost), Argon2id (modern recommendation, memory-hard), PBKDF2 (for FIPS-compliant environments, use 310,000+ iterations).