MD5 vs SHA-256 — Choosing the Right Hash Algorithm

MD5 and SHA-256 are both cryptographic hash functions — algorithms that map an input of any size to a fixed-length output called a hash or digest. They were designed for different eras and have very different security profiles.

Output comparison

Algorithm	Output length	Example (hash of "hello")
MD5	128 bits / 32 hex chars	`5d41402abc4b2a76b9719d911017c592`
SHA-256	256 bits / 64 hex chars	`2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824`

Both produce a unique-looking fixed-length string for any input. Change one character in the input and the output changes completely (the avalanche effect).

Security comparison

Property	MD5	SHA-256
Collision resistance	❌ Broken (2004)	✅ No known collisions
Pre-image resistance	⚠️ Weakened	✅ Strong
Second pre-image resistance	⚠️ Weakened	✅ Strong
Speed	Very fast	Fast (~3–5× slower than MD5)
GPU cracking resistance	❌ Trivial with modern GPUs	⚠️ Better, but not a password hash
NIST approved	❌ Deprecated	✅ Approved

Collision means two different inputs produce the same hash. MD5 collisions can be generated in seconds on consumer hardware. This makes MD5 unsuitable for any security context where forgery resistance matters.

When MD5 is acceptable

MD5 is not inherently dangerous — the problem is using it for the wrong purpose. It remains fine when:

Checksums for accidental corruption — verifying a downloaded file wasn't corrupted in transit (but not tampered with). Linux distros often still publish MD5 alongside SHA-256 for this reason.
Non-cryptographic fingerprinting — deduplicating files in a database, cache-busting asset URLs, or generating ETags where collision risk is not a security concern.
Internal tooling — fast content-addressable caching in build systems where an attacker cannot influence the inputs.

Do not use MD5 for:

Digital signatures or certificates
Verifying software authenticity (use SHA-256 or SHA-3)
Password hashing (use bcrypt, scrypt, or Argon2)
HMAC when the security of the system depends on collision resistance

When SHA-256 is the right choice

SHA-256 (part of the SHA-2 family, standardised in 2001) is the current default for most security-sensitive hashing:

File integrity and software signatures — Git uses SHA-1 (being migrated to SHA-256); package registries like npm and PyPI use SHA-256 to verify downloads.
TLS certificates — SHA-256 is the required hash algorithm in modern TLS certificate chains.
HMAC-SHA-256 — the standard MAC algorithm in JWT (HS256) and many API authentication schemes.
Bitcoin and blockchain — SHA-256 is used in Bitcoin's proof-of-work and block header hashing.
General data integrity where tampering is a concern — anywhere an adversary might be able to craft a collision.

Neither is right for passwords

A critical misconception: neither MD5 nor SHA-256 should be used to hash passwords. Both are designed to be fast, which makes them vulnerable to brute-force and dictionary attacks via GPU cracking.

Password storage requires a slow, memory-hard algorithm:

Algorithm	Recommended use
Argon2id	First choice for new systems (winner of Password Hashing Competition)
bcrypt	Widely supported, good track record, adjustable cost factor
scrypt	Memory-hard, good alternative to bcrypt
MD5 / SHA-256	❌ Never for passwords

The SHA family at a glance

Algorithm	Output	Status	Common use
MD5	128 bit	❌ Broken	Legacy checksums only
SHA-1	160 bit	❌ Deprecated	Legacy Git (being replaced)
SHA-256	256 bit	✅ Current	TLS, code signing, HMAC
SHA-384	384 bit	✅ Current	Higher-security TLS suites
SHA-512	512 bit	✅ Current	High-security file integrity
SHA3-256	256 bit	✅ Current	Alternative where SHA-2 is a concern

Quick decision guide

Need to hash a password?
  → Use Argon2id, bcrypt, or scrypt. Never MD5 or SHA-256.

Need to verify a downloaded file?
  → SHA-256 (preferred) or MD5 (acceptable for corruption-only checks).

Need to sign a file or certificate?
  → SHA-256 minimum. SHA-384 for higher assurance.

Building an HMAC or API signature?
  → HMAC-SHA-256.

Need a fast non-security checksum or dedup key?
  → MD5 is fine. So is SHA-256.

Use the Hash Generator to compute MD5, SHA-256, SHA-512, and other digests instantly in your browser. See Choosing a Hash Algorithm for a broader comparison including SHA-1, SHA-3, and BLAKE2.

Output comparison

Algorithm	Output length	Example (hash of "hello")
MD5	128 bits / 32 hex chars	`5d41402abc4b2a76b9719d911017c592`
SHA-256	256 bits / 64 hex chars	`2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824`

Both produce a unique-looking fixed-length string for any input. Change one character in the input and the output changes completely (the avalanche effect).

Security comparison

Property	MD5	SHA-256
Collision resistance	❌ Broken (2004)	✅ No known collisions
Pre-image resistance	⚠️ Weakened	✅ Strong
Second pre-image resistance	⚠️ Weakened	✅ Strong
Speed	Very fast	Fast (~3–5× slower than MD5)
GPU cracking resistance	❌ Trivial with modern GPUs	⚠️ Better, but not a password hash
NIST approved	❌ Deprecated	✅ Approved

When MD5 is acceptable

MD5 is not inherently dangerous — the problem is using it for the wrong purpose. It remains fine when:

Checksums for accidental corruption — verifying a downloaded file wasn't corrupted in transit (but not tampered with). Linux distros often still publish MD5 alongside SHA-256 for this reason.
Non-cryptographic fingerprinting — deduplicating files in a database, cache-busting asset URLs, or generating ETags where collision risk is not a security concern.
Internal tooling — fast content-addressable caching in build systems where an attacker cannot influence the inputs.

Do not use MD5 for:

Digital signatures or certificates
Verifying software authenticity (use SHA-256 or SHA-3)
Password hashing (use bcrypt, scrypt, or Argon2)
HMAC when the security of the system depends on collision resistance

When SHA-256 is the right choice

SHA-256 (part of the SHA-2 family, standardised in 2001) is the current default for most security-sensitive hashing:

File integrity and software signatures — Git uses SHA-1 (being migrated to SHA-256); package registries like npm and PyPI use SHA-256 to verify downloads.
TLS certificates — SHA-256 is the required hash algorithm in modern TLS certificate chains.
HMAC-SHA-256 — the standard MAC algorithm in JWT (HS256) and many API authentication schemes.
Bitcoin and blockchain — SHA-256 is used in Bitcoin's proof-of-work and block header hashing.
General data integrity where tampering is a concern — anywhere an adversary might be able to craft a collision.

Neither is right for passwords

Password storage requires a slow, memory-hard algorithm:

Algorithm	Recommended use
Argon2id	First choice for new systems (winner of Password Hashing Competition)
bcrypt	Widely supported, good track record, adjustable cost factor
scrypt	Memory-hard, good alternative to bcrypt
MD5 / SHA-256	❌ Never for passwords

The SHA family at a glance

Algorithm	Output	Status	Common use
MD5	128 bit	❌ Broken	Legacy checksums only
SHA-1	160 bit	❌ Deprecated	Legacy Git (being replaced)
SHA-256	256 bit	✅ Current	TLS, code signing, HMAC
SHA-384	384 bit	✅ Current	Higher-security TLS suites
SHA-512	512 bit	✅ Current	High-security file integrity
SHA3-256	256 bit	✅ Current	Alternative where SHA-2 is a concern

Quick decision guide

Need to hash a password?
  → Use Argon2id, bcrypt, or scrypt. Never MD5 or SHA-256.

Need to verify a downloaded file?
  → SHA-256 (preferred) or MD5 (acceptable for corruption-only checks).

Need to sign a file or certificate?
  → SHA-256 minimum. SHA-384 for higher assurance.

Building an HMAC or API signature?
  → HMAC-SHA-256.

Need a fast non-security checksum or dedup key?
  → MD5 is fine. So is SHA-256.

Use the Hash Generator to compute MD5, SHA-256, SHA-512, and other digests instantly in your browser. See Choosing a Hash Algorithm for a broader comparison including SHA-1, SHA-3, and BLAKE2.

MD5 vs SHA-256 — Choosing the Right Hash Algorithm

Output comparison

Security comparison

When MD5 is acceptable

When SHA-256 is the right choice

Neither is right for passwords

The SHA family at a glance

Quick decision guide

Related guides

MD5 vs SHA-256 — Choosing the Right Hash Algorithm

Output comparison

Security comparison

When MD5 is acceptable

When SHA-256 is the right choice

Neither is right for passwords

The SHA family at a glance

Quick decision guide

Related guides