Hash Generator Guide: MD5, SHA-256, SHA-512 and When to Use Each
Cryptographic hash functions are among the most fundamental building blocks in computer security and data integrity. They appear in file downloads, password storage, digital signatures, blockchain systems, and software distribution. Yet the differences between MD5, SHA-1, SHA-256, and SHA-512 — and critically, which ones are actually safe to use — remain confusing to many developers.
This guide explains what hashing is, covers the core properties of a good hash function, compares the major algorithms, and clarifies exactly when each one is appropriate.
What Is a Cryptographic Hash Function?
A hash function takes an input of any length — a single character, an entire file, a database record — and produces a fixed-length output called a hash, digest, or checksum. The output looks like a string of seemingly random hexadecimal characters.
For example, the SHA-256 hash of the word hello is:
2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824
Change a single character — say, Hello with a capital H — and the hash changes completely. This is the avalanche effect in action: a tiny input change produces a completely different output.
The Four Core Properties of a Hash Function
- Deterministic: The same input always produces the same hash. If you hash the same file twice, you get the same result both times.
- One-way (pre-image resistant): Given a hash, it should be computationally infeasible to reverse-engineer the original input. You cannot "unhash" data.
- Avalanche effect: A tiny change in the input (even a single bit) produces a completely different hash. This makes hashes useful for detecting any modification to data.
- Collision resistant: It should be computationally infeasible to find two different inputs that produce the same hash. When this breaks down, the algorithm is considered compromised.
Comparing Hash Algorithms
| Algorithm | Output Length | Speed | Security Status | Recommended Use |
|---|---|---|---|---|
| MD5 | 128-bit (32 hex chars) | Very fast | Broken (collisions found) | Non-security checksums only |
| SHA-1 | 160-bit (40 hex chars) | Fast | Deprecated (collisions found) | Legacy compatibility only |
| SHA-256 | 256-bit (64 hex chars) | Fast | Secure | Checksums, signatures, HMAC |
| SHA-512 | 512-bit (128 hex chars) | Fast on 64-bit CPUs | Secure | High-security applications |
| SHA-3 (256) | 256-bit (64 hex chars) | Moderate | Secure (different design) | When SHA-2 family is not suitable |
| bcrypt | 60-char string | Intentionally slow | Secure | Password storage only |
Generate a Hash Instantly
Generate MD5, SHA-256, SHA-512, and more from any text — free, no login required.
Open Hash Generator ToolCommon Use Cases for Hashing
File Integrity Verification
When you download software, the publisher often provides a SHA-256 checksum alongside the download link. After downloading, you compute the hash of the file you received and compare it to the published value. If they match, the file is intact and unmodified. If they differ, the file was corrupted in transit or tampered with. This is one of the most practical everyday uses of hashing.
Password Storage
Websites should never store passwords in plain text. Instead, they store the hash of the password. When you log in, the site hashes your input and compares it to the stored hash. If they match, you are authenticated — without the site ever needing to know your actual password.
However, general-purpose hash algorithms like SHA-256 are the wrong choice for password storage. Passwords require a specialized algorithm designed to be intentionally slow.
Digital Signatures
When you sign a document digitally, you are actually signing the hash of the document, not the document itself. This is practical (signing a short hash is faster than signing a large file) and secure (any change to the document changes the hash and invalidates the signature).
Data Deduplication
Storage systems use hashing to detect duplicate data. If two files have the same SHA-256 hash, they are almost certainly identical, and only one copy needs to be stored. Git uses this technique to store code — every commit, file, and tree object is identified by its hash.
Why MD5 and SHA-1 Are Not Suitable for Security
Both MD5 and SHA-1 have been cryptographically broken. Researchers have demonstrated collision attacks — the ability to engineer two different inputs that produce the same hash. In 2017, Google's SHAttered attack produced two different PDF files with identical SHA-1 hashes.
For a hash to be useful in security contexts, it must be collision resistant. Once that property is broken, attackers can forge signatures, certificates, and integrity proofs. MD5 and SHA-1 should not be used for any security-sensitive purpose. They remain acceptable for non-security uses like generating cache keys where collision resistance is not critical.
Why Fast Algorithms Are Wrong for Passwords
SHA-256 processes billions of hashes per second on modern hardware, especially when using GPUs. This speed is desirable for checksums but catastrophic for passwords. An attacker who obtains your hashed password database can attempt billions of guesses per second, testing every word in a dictionary and every common password combination.
This is where rainbow table attacks come in. A rainbow table is a precomputed database mapping common passwords to their hashes. An attacker can look up a hash and instantly identify the password it corresponds to — no computation needed at lookup time.
Salting and Why It Matters
A salt is a random value added to a password before hashing. Even if two users have the same password, their salted hashes will be different. This defeats rainbow tables entirely — the attacker cannot precompute a table that accounts for every possible salt.
Salts must be random and unique per user, and they are stored alongside the hash in the database. They do not need to be secret — their purpose is to make each hash unique, not to add secrecy.
Use bcrypt, Argon2, or scrypt for Passwords
Password hashing algorithms are specifically designed to be slow and expensive. bcrypt, Argon2 (the winner of the Password Hashing Competition), and scrypt all include a configurable work factor that makes each hash computation take a set amount of time — typically 100–300 milliseconds. This makes brute-force attacks economically infeasible even with powerful hardware.
The rule is simple: use SHA-256 or SHA-512 for checksums and digital signatures. Use bcrypt, Argon2, or scrypt for passwords. Never use MD5 or SHA-1 for either purpose.
How to Use the Hash Generator Tool
- Open the Hash Generator tool.
- Type or paste the text you want to hash into the input field.
- Select the algorithm — SHA-256 is the recommended default for general use.
- Click Generate. The hash appears in the output field.
- Copy the hash and use it for your checksum, comparison, or verification purpose.
Hello and hello produce completely different hashes. When verifying a file checksum, ensure you are comparing the exact same text with no extra spaces or line breaks.
Summary
Cryptographic hash functions produce a fixed-length fingerprint of any input. SHA-256 is the current standard for general-purpose hashing — file integrity checks, digital signatures, and data deduplication. SHA-512 offers a larger output for higher-security environments. MD5 and SHA-1 are cryptographically broken and should not be trusted for security purposes. For passwords specifically, use bcrypt or Argon2, which are intentionally slow and include built-in salting. Understanding these distinctions is the difference between implementing security correctly and creating a false sense of protection.