Developer

MD5 vs SHA-256: Which Hashing Algorithm Should You Use? (2026)

You see MD5 and SHA-256 everywhere: file checksums, password tables, download verification pages, Git commits. They both turn data into a fixed-length fingerprint, so what's the actual difference? In short, MD5 is fast but broken for security, while SHA-256 is the modern standard. This guide explains how hash functions work, why collision attacks killed MD5 for security use, and exactly when each algorithm is the right pick. You can test both yourself with a free, in-browser hash generator.

By FusionPDF Team · June 17, 2026 · 9 min read · Updated June 2026

Key Takeaways

MD5 produces a 128-bit hash and is fast, but practical collisions have existed since 2004, so it is broken for any security use.
SHA-256 produces a 256-bit hash, belongs to the SHA-2 family, and has no known practical collision (NIST FIPS 180-4).
Use MD5 only for non-security checksums; use SHA-256 for signatures, integrity, and blockchain.
For passwords, use neither alone, choose bcrypt or Argon2 instead.

What Is a Hash Function and How Does It Work?

A hash function maps any input to a fixed-length string of characters. It is one-way, deterministic, and fast. NIST defines an approved hash as one that is computationally infeasible to reverse (NIST FIPS 180-4, 2015). The same input always yields the same output.

Three properties define a good cryptographic hash. First, it is deterministic: hashing "hello" always gives the same result. Second, it is fixed-size: a one-byte input and a one-gigabyte file both produce an output of identical length. Third, it is one-way: you cannot run the function backward to recover the input.

A small change to the input should produce a wildly different output. This is the avalanche effect. Hashing "cat" versus "car" gives two completely unrelated strings, even though the inputs differ by a single letter. That sensitivity is what makes hashes useful for detecting tampering.

What hashes are used for

Hashes power a surprising amount of everyday computing. They verify that a downloaded file arrived intact, index data in hash tables, fingerprint files for deduplication, and underpin digital signatures and blockchains. Want to see one in action? You can generate a hash from any string with a free browser-based hash generator.

"A cryptographic hash function takes an arbitrary-length input and returns a fixed-length output. Approved functions must be preimage-resistant, second-preimage-resistant, and collision-resistant. The output is deterministic and computationally infeasible to invert, which is the foundation of integrity verification." Source: NIST FIPS 180-4, Secure Hash Standard (2015)

What Is MD5 and Why Is It Considered Broken?

MD5 is a 128-bit hash function designed by Ronald Rivest in 1991. It is extremely fast, but it is cryptographically broken. The first practical collision was demonstrated by Wang and Yu in 2004, and by 2008 researchers forged a rogue CA certificate using MD5 collisions (Sotirov et al., 2008).

MD5 produces a 32-character hexadecimal string, for example 5d41402abc4b2a76b9719d911017c592 for the word "hello". For two decades it was the default for everything: passwords, checksums, signatures. Then the math caught up with it.

Why MD5 fell apart

The problem is collision resistance. In 2004, cryptographers showed they could deliberately construct two different inputs with the same MD5 hash. By 2008, that weakness was weaponized to mint a fraudulent certificate authority. Today, anyone can generate an MD5 collision on a laptop in seconds.

Do not use MD5 for security. Never use it for passwords, digital signatures, TLS certificates, or any case where an attacker benefits from forging a matching hash. CMU's CERT and most security standards bodies formally deprecated MD5 for security use years ago.

So is MD5 useless? Not quite. It still works fine where nobody is trying to attack you. Verifying that a large file downloaded without random corruption is a legitimate, low-stakes job for MD5, and its speed is a genuine advantage there.

What Is SHA-256 and Why Is It the Standard?

SHA-256 is a 256-bit member of the SHA-2 family, standardized by NIST in 2001 (NIST FIPS 180-4). It has no known practical collision after more than two decades of analysis. It secures TLS, Bitcoin, code signing, and Git's newer object model.

SHA-256 produces a 64-character hexadecimal string, double the length of MD5. That larger output space is part of why it resists attacks: there are roughly 1.16 x 10^77 possible SHA-256 values, an unimaginably large number. Finding two inputs that collide by brute force is not feasible with current or foreseeable technology.

Where SHA-256 is used today

SHA-256 is the workhorse of modern cryptography. Bitcoin's proof-of-work runs on it. TLS certificates are signed with it. Software publishers post SHA-256 checksums so you can verify downloads. Linux distributions, package managers, and CI pipelines all rely on it for integrity.

2^256

Possible SHA-256 outputs SHA-256 has about 1.16 x 10^77 possible hash values, with no practical collision demonstrated since its 2001 standardization (NIST FIPS 180-4).

There are larger SHA-2 variants too, like SHA-384 and SHA-512. For most applications, SHA-256 hits the sweet spot of strong security and good performance. It is the safe default when you need a general-purpose secure hash.

What Are Collision Attacks?

A collision occurs when two different inputs produce the same hash. Because hashes are fixed-length, collisions exist mathematically for every algorithm. What matters is feasibility. An MD5 collision can be generated in under a second on commodity hardware, while no SHA-256 collision has ever been found.

Here is why collisions are dangerous. Imagine a software vendor signs a "safe" installer, and an attacker crafts a malicious file with the identical hash. A system checking only the hash would accept the malware as genuine. That is precisely the attack class that broke MD5's trustworthiness.

Collision attack vs preimage attack

These two are easy to confuse. A collision attack means finding any two inputs that hash to the same value, where the attacker controls both. A preimage attack means finding an input that matches a specific, pre-existing hash. Preimage attacks are much harder, and MD5 is not practically broken against them. But collision resistance alone failing is enough to disqualify MD5 for signatures.

"In 2008, researchers exploited MD5 collision weaknesses to create a rogue certificate authority accepted by all major browsers. The attack used a cluster of 200 PlayStation 3 consoles, proving that MD5 collisions had moved from theoretical to practical and dangerous." Source: Sotirov, Stevens, Appelbaum et al., MD5 Considered Harmful Today (2008)

MD5 vs SHA-256: The Full Comparison

MD5 wins on raw speed; SHA-256 wins on every security metric. MD5 outputs 128 bits versus SHA-256's 256 bits. Practical MD5 collisions have existed since 2004, while SHA-256 has none. For any adversarial context, SHA-256 is the only defensible choice (NIST FIPS 180-4).

Property	MD5	SHA-256
Output size	128 bits (32 hex chars)	256 bits (64 hex chars)
Year designed	1991	2001 (SHA-2)
Speed	Very fast	Fast (slower than MD5)
Known collisions	Yes, practical since 2004	None known
Security status	Broken (deprecated)	Secure (current standard)
Recommended use	Non-security checksums only	Signatures, integrity, blockchain
Suitable for passwords?	No	No (use Argon2/bcrypt)

The takeaway is simple. If security matters at all, reach for SHA-256. If you just need a quick non-adversarial fingerprint and speed is the priority, MD5 still earns its keep. Everything else points to SHA-256.

When Should You Use MD5 vs SHA-256?

Use MD5 only when no attacker is involved, such as detecting accidental file corruption or generating cache keys. Use SHA-256 whenever an attacker could benefit from forging a match: signatures, certificates, integrity checks, and blockchain. OWASP and NIST both treat MD5 as unsafe for security.

Reach for MD5 when

You need a fast, non-security checksum: detecting accidental corruption in a file transfer, deduplicating files, or building a non-security cache key. Speed matters and no attacker is in the picture.

Reach for SHA-256 when

Security matters at all: digital signatures, TLS certificates, secure download verification, blockchain, audit logs, or any integrity check where forgery would cause real harm. This is the default safe choice.

A quick rule of thumb: ask "would it hurt me if someone deliberately produced a matching hash?" If yes, use SHA-256. If the only risk is random, accidental corruption, MD5 is acceptable and faster. When in doubt, default to SHA-256, the performance cost is negligible for most workloads.

Hashing Is Not Encryption

Hashing and encryption are different tools. Encryption is reversible with a key; hashing is one-way and cannot be reversed. NIST classifies hash functions as integrity primitives, not confidentiality controls (NIST FIPS 180-4). Hashing a password does not "encrypt" it.

This confusion causes real bugs. Encryption protects data so an authorized party can recover it later with a key. Hashing produces a fingerprint you compare against, with no way back. You hash a password to check it without storing the original; you encrypt a message so the recipient can read it.

So how do attackers "crack" hashes?

They do not reverse the hash. They guess inputs, hash each guess, and compare. Because MD5 and SHA-256 are fast, billions of guesses per second are possible on a GPU. That is exactly why raw SHA-256 is wrong for passwords. You need a slow, salted function. Learn more in our guide to creating strong passwords.

Bottom line: For password storage, neither MD5 nor SHA-256 is appropriate on its own. Use a deliberately slow, salted password-hashing function such as Argon2id, bcrypt, or scrypt. OWASP currently recommends Argon2id as the default. Hash speed is a feature for checksums and a liability for passwords.

Frequently Asked Questions

Is MD5 still useful for anything in 2026?

Yes, but only for non-security purposes. MD5 remains a fast, convenient checksum for detecting accidental data corruption during file transfers, or as a cache key or deduplication fingerprint. It must never be used for passwords, digital signatures, or any context where an attacker could deliberately craft a collision. For those, use SHA-256.

Can SHA-256 be reversed to recover the original input?

No. SHA-256 is a one-way function: there is no mathematical operation that reverses a hash back to its input. Attackers instead guess inputs and hash them, comparing results against the target. This is why salting and slow hashing matter for passwords. SHA-256 itself remains preimage-resistant, with no practical reversal known after two decades of analysis.

Which should I use for hashing passwords, MD5 or SHA-256?

Neither one alone. Both MD5 and SHA-256 are fast, which is exactly wrong for passwords because it lets attackers guess billions per second. Use a purpose-built password hashing function such as bcrypt, scrypt, or Argon2. These are deliberately slow and include salting, making large-scale guessing impractical. OWASP recommends Argon2id as the modern default.

Can two different files ever have the same hash?

Yes, this is called a collision. Because hashes are fixed-length, infinite possible inputs map to a finite set of outputs, so collisions exist mathematically for every hash function. The difference is feasibility: a practical MD5 collision can be generated in seconds, while no practical SHA-256 collision has ever been demonstrated.

What is a salt and why does it matter?

A salt is a unique random value added to each input before hashing. It ensures two identical passwords produce different stored hashes, which defeats precomputed rainbow table attacks. Salting is essential for password storage and is built into proper password hashing functions like bcrypt and Argon2 automatically, so you rarely manage it by hand.

Generate MD5 and SHA-256 Hashes Instantly

Free, instant, private. Hash any text with MD5, SHA-256, and more. Your data stays in your browser, nothing is sent to a server.

Open Hash Generator →