๐ Crypto & Encoding
MD5 vs SHA-1 vs SHA-256: Which Hash Should You Use?
By Justin Le
ยท 6 min read ยท Updated June 27, 2026 MD5, SHA-1 and SHA-256 are the hash functions you'll meet most often, and there's a lot of confusion about which are "safe." The honest answer is "it depends what you're using them for." Let's clear it up.
What these hashes have in common
All three are cryptographic hash functions: they take any input and produce a fixed-length digest. The same input always gives the same output, a tiny change gives a completely different output, and you can't reverse the digest back to the input. They differ in output size, speed, and โ crucially โ whether they still resist attacks.
- MD5 โ 128-bit output, very fast, cryptographically broken.
- SHA-1 โ 160-bit output, fast, also broken.
- SHA-256 โ 256-bit output, part of the SHA-2 family, currently secure.
What "broken" actually means
When we say MD5 and SHA-1 are broken, we mean they've lost collision resistance. A collision is two different inputs that produce the same hash. For a strong hash, finding one should be computationally infeasible โ but researchers have demonstrated practical collisions for MD5 (since 2004) and SHA-1 (the "SHAttered" attack in 2017). That matters enormously for digital signatures and certificates, where an attacker who can craft a collision could forge a trusted document.
Importantly, "broken for collisions" does not mean these hashes can be reversed. You still can't take an MD5 digest and recover the input. That's why MD5 lingers in non-adversarial uses.
When is MD5 still OK?
For non-security checksums โ detecting accidental file corruption, a quick cache key, deduplicating data โ MD5 is fast and fine, because there's no attacker deliberately crafting collisions. What you must never do is use MD5 (or SHA-1) for anything an adversary could exploit: digital signatures, certificate fingerprints, or verifying that a download wasn't maliciously altered.
Which should you use?
For anything security-related, use SHA-256 (or SHA-512). It's the modern standard for integrity verification, digital signatures and HMAC. SHA-512 is faster on 64-bit hardware for large inputs and gives a longer digest; SHA-256 is the common default. The SHA-3 family exists too, as a structurally different backup, but SHA-2 remains perfectly strong.
The password exception
One critical caveat: none of these are right for storing passwords, including SHA-256. They're all designed to be fast, which helps attackers brute-force a leaked database. Passwords need a deliberately slow, salted algorithm like bcrypt, scrypt or Argon2. We cover this in bcrypt vs SHA-256 for passwords.
Try it
Compute MD5, SHA-1, SHA-256, SHA-384 and SHA-512 of any text side by side with our hash generator โ change one character and watch every digest change completely. For keyed authentication, see the HMAC generator.
Frequently asked questions
Is MD5 secure?
Not for security uses. MD5 is cryptographically broken for collision resistance, so it must not be used for signatures or certificates. It's still acceptable for non-adversarial checksums like detecting accidental file corruption.
Which hash should I use for security?
SHA-256 (or SHA-512). Both are part of the secure SHA-2 family and are the modern standard for integrity, signatures and HMAC. Avoid MD5 and SHA-1 for anything security-related.
Can SHA-256 be reversed?
No. Like all cryptographic hashes it's one-way. So-called reversers are just lookup tables of previously computed hashes for common inputs โ they don't actually invert the function.
Try the related tools
- Hash Generator (MD5, SHA-1, SHA-256, SHA-512) Compute MD5, SHA-1, SHA-256, SHA-384 and SHA-512 digests from any text.
- HMAC Generator (SHA-1, SHA-256, SHA-512) Compute an HMAC from a message and secret key using SHA-1/256/384/512, as hex or Base64.
- Bcrypt Hash Generator & Checker Hash a password with bcrypt at an adjustable cost factor, or verify a password against a hash.
Related guides
- Bcrypt vs SHA-256: Why You Don't Hash Passwords with SHA SHA-256 is fast โ which is exactly why it's the wrong way to store passwords. Here's why bcrypt (or Argon2) wins, and how salting and cost factors work.
- HMAC Explained: How Webhook Signatures Work How HMAC proves a message came from who you think it did โ the mechanism behind Stripe and GitHub webhook signatures, and how to verify them safely.
- What Is a JWT and How Does It Work? How JSON Web Tokens really work โ the header, payload and signature, what signing proves, and the security mistakes that bite teams.