Hash functions underpin nearly every security-critical system in modern computing: file integrity verification, digital signatures, TLS certificates, blockchain, API request signing, and — when used correctly — password storage. MD5 and SHA-256 are the two hash functions developers encounter most frequently. Understanding their differences, their histories, and exactly when to use each is essential for building secure systems.
What is a Cryptographic Hash Function?
A hash function takes an input of arbitrary size and produces a fixed-length output called a hash or digest. Cryptographic hash functions must satisfy four properties:
- Deterministic: The same input always produces the same output
- Avalanche effect: A tiny change in input (even one bit) produces a completely different output
- One-way (preimage resistance): It is computationally infeasible to reverse the hash and recover the original input
- Collision resistance: It is computationally infeasible to find two different inputs that produce the same hash
It is the last property — collision resistance — where MD5 has definitively failed.
MD5: History and Current Security Status
MD5 (Message-Digest Algorithm 5) was designed by Ronald Rivest in 1991. It produces a 128-bit hash, displayed as 32 hexadecimal characters. For over a decade it was the dominant hash function for file integrity verification and digital signatures.
The problems emerged in stages. In 1996, researchers found theoretical weaknesses in MD5's compression function. By 2004, Chinese cryptographers demonstrated practical collision attacks — they could craft two different files that produced the same MD5 hash. In 2008, a team used collision attacks to forge a rogue SSL certificate accepted as legitimate by browsers. In 2012, the Flame malware exploited MD5 collisions to fake a Microsoft code-signing certificate.
MD5 is now considered cryptographically broken for any use that requires collision resistance. It should not be used for digital signatures, certificates, or security-critical integrity verification.
The SHA Family
The Secure Hash Algorithm (SHA) family was developed by the NSA and standardized as Federal Information Processing Standards (FIPS) by NIST. The SHA-2 family (which includes SHA-256) has no known practical attacks:
- SHA-1 (1995): 160-bit output. Theoretical weaknesses found in 2005; Google's SHAttered team demonstrated a practical chosen-prefix collision in 2017. Deprecated for signatures and certificates.
- SHA-256 (2001): 256-bit output. No known practical attacks. The standard choice for nearly all modern security infrastructure.
- SHA-384 (2001): 384-bit output. Same algorithm as SHA-512, truncated. Used where extra security margin is desired.
- SHA-512 (2001): 512-bit output. Faster than SHA-256 on 64-bit processors for long messages. Used in high-security contexts.
When MD5 is Still Acceptable
Despite its security weaknesses, MD5 remains widely used for non-security purposes where collision resistance is not required and an attacker is not intentionally crafting malicious input:
- File deduplication: Detecting identical files in a storage system where no adversary is crafting collisions
- Cache keys: Generating short, fixed-length cache keys from long query strings or request parameters
- Gravatar avatars: The Gravatar service uses MD5 hashes of email addresses to generate profile image URLs
- Non-security checksums: Detecting accidental corruption (bit rot, transmission errors) where an active attacker is not involved
- ETag generation: HTTP ETags for cache validation where collision attacks are not a realistic threat model
If in doubt, use SHA-256. It is faster than you think (hardware-accelerated on modern CPUs), produces a better security guarantee, and has the same ease of use as MD5.
Why Neither MD5 Nor SHA-256 Should Be Used for Passwords
For password storage, neither MD5 nor SHA-256 is appropriate — even though SHA-256 is cryptographically secure in other contexts. The reason is speed: both algorithms are designed to be fast. A modern GPU cluster can compute tens of billions of SHA-256 hashes per second. Given a leaked database of SHA-256 password hashes, an attacker can try every word in a large dictionary plus millions of common password patterns in seconds.
Password-specific hashing algorithms are designed to be deliberately slow, with a tunable work factor that increases cost as hardware gets faster:
- bcrypt: The industry standard for web applications since 1999. Uses a cost factor (typically 10-12) that doubles computation time with each increment.
- Argon2: Winner of the Password Hashing Competition (2015). Resistant to GPU and ASIC attacks by requiring large amounts of memory. The recommended choice for new systems.
- PBKDF2: NIST-approved and required by some compliance standards (FIPS 140). Iterated application of a PRF, often HMAC-SHA256.
- scrypt: Memory-hard algorithm designed to be expensive in both time and memory. Used by many cryptocurrency wallets.
// Node.js — password hashing with bcrypt
const bcrypt = require('bcrypt');
// Hash a password (cost factor 12)
const hash = await bcrypt.hash(plainPassword, 12);
// Store 'hash' in the database
// Verify a password on login
const isValid = await bcrypt.compare(plainPassword, storedHash);
// Node.js — Argon2 with the argon2 package
const argon2 = require('argon2');
const hash = await argon2.hash(plainPassword);
const isValid = await argon2.verify(hash, plainPassword);Summary
- Use SHA-256 for file integrity, API request signing, digital signatures, TLS, and any security-critical checksum
- MD5 is acceptable for non-security checksums, cache keys, and deduplication where adversarial collision attacks are not a concern
- Never use MD5 for anything security-critical: signatures, certificates, or any context where an attacker might craft collisions
- Use bcrypt, Argon2, or PBKDF2 for password hashing — not SHA-256, and definitely not MD5