Saved

Utilix knowledge base

MD5 vs SHA-256 — Choosing the Right Hash Algorithm

Published May 23, 2026

MD5 and SHA-256 are both cryptographic hash functions — algorithms that map an input of any size to a fixed-length output called a hash or digest. They were designed for different eras and have very different security profiles.

Output comparison

AlgorithmOutput lengthExample (hash of "hello")
MD5128 bits / 32 hex chars5d41402abc4b2a76b9719d911017c592
SHA-256256 bits / 64 hex chars2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824

Both produce a unique-looking fixed-length string for any input. Change one character in the input and the output changes completely (the avalanche effect).

Security comparison

PropertyMD5SHA-256
Collision resistance❌ Broken (2004)✅ No known collisions
Pre-image resistance⚠️ Weakened✅ Strong
Second pre-image resistance⚠️ Weakened✅ Strong
SpeedVery fastFast (~3–5× slower than MD5)
GPU cracking resistance❌ Trivial with modern GPUs⚠️ Better, but not a password hash
NIST approved❌ Deprecated✅ Approved

Collision means two different inputs produce the same hash. MD5 collisions can be generated in seconds on consumer hardware. This makes MD5 unsuitable for any security context where forgery resistance matters.

When MD5 is acceptable

MD5 is not inherently dangerous — the problem is using it for the wrong purpose. It remains fine when:

  • Checksums for accidental corruption — verifying a downloaded file wasn't corrupted in transit (but not tampered with). Linux distros often still publish MD5 alongside SHA-256 for this reason.
  • Non-cryptographic fingerprinting — deduplicating files in a database, cache-busting asset URLs, or generating ETags where collision risk is not a security concern.
  • Internal tooling — fast content-addressable caching in build systems where an attacker cannot influence the inputs.

Do not use MD5 for:

  • Digital signatures or certificates
  • Verifying software authenticity (use SHA-256 or SHA-3)
  • Password hashing (use bcrypt, scrypt, or Argon2)
  • HMAC when the security of the system depends on collision resistance

When SHA-256 is the right choice

SHA-256 (part of the SHA-2 family, standardised in 2001) is the current default for most security-sensitive hashing:

  • File integrity and software signatures — Git uses SHA-1 (being migrated to SHA-256); package registries like npm and PyPI use SHA-256 to verify downloads.
  • TLS certificates — SHA-256 is the required hash algorithm in modern TLS certificate chains.
  • HMAC-SHA-256 — the standard MAC algorithm in JWT (HS256) and many API authentication schemes.
  • Bitcoin and blockchain — SHA-256 is used in Bitcoin's proof-of-work and block header hashing.
  • General data integrity where tampering is a concern — anywhere an adversary might be able to craft a collision.

Neither is right for passwords

A critical misconception: neither MD5 nor SHA-256 should be used to hash passwords. Both are designed to be fast, which makes them vulnerable to brute-force and dictionary attacks via GPU cracking.

Password storage requires a slow, memory-hard algorithm:

AlgorithmRecommended use
Argon2idFirst choice for new systems (winner of Password Hashing Competition)
bcryptWidely supported, good track record, adjustable cost factor
scryptMemory-hard, good alternative to bcrypt
MD5 / SHA-256❌ Never for passwords

The SHA family at a glance

AlgorithmOutputStatusCommon use
MD5128 bit❌ BrokenLegacy checksums only
SHA-1160 bit❌ DeprecatedLegacy Git (being replaced)
SHA-256256 bit✅ CurrentTLS, code signing, HMAC
SHA-384384 bit✅ CurrentHigher-security TLS suites
SHA-512512 bit✅ CurrentHigh-security file integrity
SHA3-256256 bit✅ CurrentAlternative where SHA-2 is a concern

Quick decision guide

Need to hash a password?
  → Use Argon2id, bcrypt, or scrypt. Never MD5 or SHA-256.

Need to verify a downloaded file?
  → SHA-256 (preferred) or MD5 (acceptable for corruption-only checks).

Need to sign a file or certificate?
  → SHA-256 minimum. SHA-384 for higher assurance.

Building an HMAC or API signature?
  → HMAC-SHA-256.

Need a fast non-security checksum or dedup key?
  → MD5 is fine. So is SHA-256.

Use the Hash Generator to compute MD5, SHA-256, SHA-512, and other digests instantly in your browser. See Choosing a Hash Algorithm for a broader comparison including SHA-1, SHA-3, and BLAKE2.