A cryptographic hash function takes an input of any length and produces a fixed-length output — the hash, digest, or checksum — such that the same input always produces the same output, but it is computationally infeasible to reconstruct the input from the output or to find a second input that produces the same hash. These properties make hash functions fundamental to password storage, data integrity verification, digital signatures, and many other security-critical operations.
The Core Properties
A secure cryptographic hash function must satisfy three main properties:
- Pre-image resistance: Given a hash H, it must be computationally infeasible to find any input that produces H. This is what makes hash functions useful for storing passwords — knowing the hash does not reveal the password.
- Second pre-image resistance: Given an input M and its hash H(M), it must be infeasible to find a different input M' such that H(M') = H(M). This prevents an attacker from substituting a different document that hashes to the same value.
- Collision resistance: It must be computationally infeasible to find any two distinct inputs that produce the same hash. Once collisions can be found efficiently, a hash function is considered broken for security purposes.
Note that these properties are about computational feasibility, not absolute impossibility. With a 256-bit hash, there are 2^256 possible hash values. In theory, feeding the function 2^256 + 1 inputs guarantees a collision by the pigeonhole principle. In practice, 2^256 is an astronomically large number — far beyond any realistic computational budget.
MD5: Broken for Security, Still Useful for Checksums
MD5 produces a 128-bit (16-byte) hash, usually expressed as a 32-character hexadecimal string. It was designed in 1991 and was widely used through the 2000s for password storage, file verification, and digital signatures.
MD5 is now considered cryptographically broken. Researchers demonstrated practical collision attacks against it in the mid-2000s — meaning two different inputs that produce the same MD5 hash can be computed in seconds on a laptop. This makes MD5 completely unsuitable for any security-critical application. You should not use MD5 for password hashing, signing certificates, or verifying untrusted inputs.
However, MD5 is still useful for non-security applications: detecting accidental file corruption during transfer or storage, generating cache keys, or quickly verifying that two large files are identical. In these contexts, the attacker model (intentional collision crafting) does not apply, and MD5's speed is an advantage.
SHA-1: Similarly Deprecated
SHA-1 (Secure Hash Algorithm 1) was the industry standard through the 2000s and early 2010s, producing a 160-bit hash. Google's SHAttered attack in 2017 demonstrated the first practical SHA-1 collision — two distinct PDF files with the same SHA-1 hash. SHA-1 is now deprecated by every major standards body and should not be used for new security applications. Like MD5, it remains acceptable for non-adversarial checksums.
SHA-256: The Current Standard
SHA-256 is part of the SHA-2 family, which was standardized by NIST in 2001. It produces a 256-bit (32-byte) hash. No practical attacks against SHA-256 have been demonstrated. It is used in TLS certificates, Git's object model, Bitcoin's proof-of-work, and most modern security protocols.
SHA-256 is the right choice for:
- File integrity verification when the file might be maliciously modified
- Generating the hash component in HMAC authentication schemes
- Deriving deterministic identifiers from content
- Digital signatures (combined with RSA or ECDSA)
SHA-256 is not suitable for direct password hashing. It is too fast — a modern GPU can compute billions of SHA-256 hashes per second, which makes brute-forcing short passwords feasible. For passwords, use a purpose-designed slow hash function like bcrypt, Argon2id, or scrypt, which incorporate configurable computational cost.
SHA-512: More Bits, Comparable Speed
SHA-512 produces a 512-bit hash. It is not significantly slower than SHA-256 on 64-bit processors (SHA-512 operates on 64-bit words internally, while SHA-256 uses 32-bit words). SHA-512 is preferred when larger hash values are required — for example, in some post-quantum cryptography contexts — but for most applications, SHA-256 provides adequate collision resistance.
BLAKE3: The Modern Alternative
BLAKE3 is a relatively new hash function (released in 2020) that is dramatically faster than SHA-256 — often 3–10x faster in software — while providing equivalent or stronger security properties. BLAKE3 is also parallelizable, which makes it scale well across CPU cores for large inputs.
BLAKE3 is an excellent choice for:
- High-throughput file hashing where speed matters
- Content-addressed storage systems
- Any application where SHA-256's computational cost is a bottleneck
BLAKE3 is newer and has less ecosystem support than SHA-256 — fewer libraries, fewer hardware accelerators, less regulatory acceptance. For compliance-sensitive environments (FIPS, certain government contexts), SHA-256 or SHA-512 remains the required choice.
Choosing the Right Algorithm
In practice, the decision tree is simple:
- Password hashing: Argon2id or bcrypt (not SHA-anything)
- General-purpose file and data integrity, widely interoperable: SHA-256
- High-performance hashing, modern tooling: BLAKE3
- Verifying non-adversarial file transfers: MD5 or SHA-1 (for speed, not security)
- Regulatory/FIPS compliance: SHA-256 or SHA-512