How to choose between MD5, SHA-1, and SHA-256 in practice
Hash functions look interchangeable from the outside — same interface, fixed-length output for any input — but their security and performance properties differ a lot. Knowing which to reach for keeps “let’s just use MD5” from becoming a vulnerability.
Three security properties
The cryptographic strength of a hash function is usually broken into three properties:
| Property | Statement | What breaks if it falls |
|---|---|---|
| Pre-image resistance | Cannot recover input from hash | Password hashing dies |
| Second pre-image resistance | Cannot find another input with same hash as a given input | Tamper detection fails |
| Collision resistance | Cannot find any two inputs with the same hash | Signatures forgeable |
Collision resistance is the strongest of the three; if it’s broken, the others are effectively in trouble too.
MD5: fine for checksums, not fine for security
MD5 produces 128-bit output and is the classic example of a broken hash:
- 2004: practical collisions demonstrated.
- 2008: collisions exploited to forge SSL certificates.
- Today: collision attacks complete in seconds to minutes.
Collision resistance is fully broken, so never use MD5 for signatures or tamper detection — anywhere there is an adversary, MD5 is wrong.
That said, MD5 is still common where there is no adversary:
- File integrity checks (catching transmission errors)
- Cache key generation
- Duplicate-row detection in databases
In those cases, the speed of MD5 is the only property that matters.
SHA-1: stop using
SHA-1 produces 160-bit output:
- 2017: Google and CWI announced a real collision (“SHAttered”).
- 2020: chosen-prefix collisions became practical.
- Today: every major browser and CA rejects SHA-1 certificates.
Git still uses SHA-1 internally (with a gradual migration toward SHA-256). For new code, there is no good reason to choose SHA-1 today.
SHA-256: the modern default
SHA-256 is the most prominent member of the SHA-2 family and produces 256-bit output:
- Design: a different construction from MD5/SHA-1 (Merkle-Damgård with a different compression function).
- Known weaknesses: no practical collision attack to date.
- Performance: slower than MD5 but very fast on modern CPUs (some have dedicated hardware instructions).
- Use cases: TLS certificates, signatures, blockchain, tamper detection.
When asked “which hash should I use?“, SHA-256 is the safe answer.
What about SHA-3 / BLAKE3?
Two alternatives worth knowing:
- SHA-3 — a NIST-standardized family with a completely different construction (sponge). It exists as insurance in case SHA-2 is ever broken.
- BLAKE3 — a community-driven design optimized for parallelism, several to dozens of times faster than SHA-256. Originated in the Rust ecosystem.
Replacing SHA-256 isn’t strictly necessary for most projects today, but BLAKE3 is increasingly common for high-throughput hashing.
Password hashing needs a dedicated function
Worth stating explicitly: hashing passwords with SHA-256 is wrong.
General-purpose hashes are intentionally fast. That is great for checksums and bad for password storage — an attacker with a GPU can try billions of guesses per second. Passwords need deliberately slow hashes:
| Function | Properties |
|---|---|
| bcrypt | The 1999-era staple. Tunable cost factor. |
| scrypt | Memory-hard; resistant to GPU/ASIC attacks. |
| Argon2 | Winner of the 2015 Password Hashing Competition. The current recommendation. |
For new projects, Argon2id is the first choice; bcrypt is a fine fallback when Argon2 isn’t available.
Pick by use case
| Use case | Recommendation | Notes |
|---|---|---|
| File integrity (no attacker) | MD5 is fine | Speed wins, otherwise SHA-256 |
| Signatures, tamper detection | SHA-256 | Never MD5 or SHA-1 |
| Cache key | MD5 / SHA-1 / SHA-256, any | Pick by speed and length |
| Password storage | Argon2id / bcrypt | Never plain SHA-256 |
| API token generation | crypto.randomBytes | Random, not hashed |
| Blockchain | SHA-256 / Keccak-256 | Determined by the protocol |
When you want to compute a quick hash to compare values, the hash generator on this site shows MD5, SHA-1, and SHA-256 side by side. Useful for picking by length and seeing the speed/security tradeoff.