Cryptographic Hash Functions Explained — MD5, SHA-256, and More

Hash functions are fundamental to modern software — from password storage to file integrity checks to digital signatures. Understanding the differences between MD5, SHA-1, SHA-256, and SHA-512 will help you make the right choice for your use case.

What is a Cryptographic Hash?

A hash function takes an input of any length and produces a fixed-length output called a digest or hash. Key properties:

• Deterministic — same input always produces the same output
• One-way — you cannot reverse a hash to get the original input
• Avalanche effect — a tiny change in input completely changes the output
• Collision resistant — it should be virtually impossible to find two inputs with the same hash

Comparison of Hash Algorithms

Algorithm  Output size  Speed    Security status
MD5        128 bits     Fast     BROKEN — do not use for security
SHA-1      160 bits     Fast     DEPRECATED — avoid for new projects
SHA-256    256 bits     Medium   SECURE — recommended standard
SHA-512    512 bits     Slower   SECURE — use for high-security needs

Practical Use Cases

File integrity verification

# Download a file, then verify its hash matches the published checksum
sha256sum downloaded-file.zip
# Compare output with the hash on the official download page

Password hashing (use bcrypt, not SHA)

For storing passwords, use bcrypt, Argon2, or PBKDF2 — not plain SHA-256. These algorithms are intentionally slow to prevent brute-force attacks.

API request signing

# HMAC-SHA256 is used to sign API requests (e.g. AWS Signature v4)
signature = HMAC-SHA256(secret_key, string_to_sign)