๐ Crypto & Encoding
What Is a Hash Function?
By Justin Le
ยท 6 min read ยท Updated June 27, 2026 Hashing underpins huge parts of computing โ from verifying downloads to storing passwords to powering blockchains. Yet "hash" gets used loosely. This guide explains what a hash function really is and the properties that make it so useful.
What is a hash function?
A hash function takes an input of any size โ a word, a file, a whole database โ and produces a fixed-size output called a hash or digest. Hash "Hello" with SHA-256 and you get a 64-character hex string; hash an entire movie and you get a string of exactly the same length. The output is a compact fingerprint of the input.
The properties that matter
A cryptographic hash function has several key properties:
- Deterministic. The same input always produces the same output.
- Fixed-size output. Any input maps to a digest of the same length.
- Avalanche effect. A tiny change in the input โ even one bit โ produces a completely different output.
- One-way (preimage resistance). Given a hash, you can't feasibly work backward to the input.
- Collision resistant. It's infeasible to find two different inputs that produce the same hash.
Try the avalanche effect yourself: hash "hello" and "hellp" in our hash generator and notice the digests share nothing in common.
Hashing is not encryption
A common confusion: hashing is one-way and keyless, while encryption is reversible with a key. You hash data to verify it; you encrypt data to protect and later recover it. There's no "unhash" operation. We unpack this fully in encoding vs encryption vs hashing.
What hashes are used for
- Integrity checks. Publishers list a file's hash so you can confirm your download wasn't corrupted or tampered with.
- Deduplication and indexing. Hashes make fast keys and detect identical data without comparing it byte by byte.
- Digital signatures. You sign the hash of a document rather than the whole thing.
- Message authentication. Combined with a key, hashing becomes HMAC.
- Password storage โ but with an important twist (below).
The password exception
For storing passwords you need a slow hash, not a fast one. General-purpose hashes like SHA-256 are deliberately fast, which helps attackers brute-force a leaked database. Password hashing uses purpose-built, salted, slow algorithms like bcrypt, scrypt or Argon2. See bcrypt vs SHA-256 for why this matters.
Which hash should you use?
For security, use SHA-256 or SHA-512. Avoid MD5 and SHA-1 for anything adversarial โ they're broken for collision resistance, though still fine for non-security checksums. Our MD5 vs SHA-1 vs SHA-256 guide compares them in detail.
Try it
Compute MD5, SHA-1, SHA-256, SHA-384 and SHA-512 of any text with our hash generator, and for keyed authentication explore the HMAC generator.
Frequently asked questions
What is a hash function in simple terms?
A function that turns any input into a fixed-size fingerprint (the hash). The same input always gives the same hash, a tiny change gives a completely different one, and you can't reverse it back to the input.
Is hashing the same as encryption?
No. Hashing is one-way and keyless โ you can't recover the input. Encryption is reversible with a key. You hash to verify data and encrypt to protect and later recover it.
Can two different inputs have the same hash?
In theory yes (a collision), but for a strong hash like SHA-256 it's computationally infeasible to find one. Weak hashes like MD5 and SHA-1 have known collision attacks, which is why they're avoided for security.
Try the related tools
- Hash Generator (MD5, SHA-1, SHA-256, SHA-512) Compute MD5, SHA-1, SHA-256, SHA-384 and SHA-512 digests from any text.
- HMAC Generator (SHA-1, SHA-256, SHA-512) Compute an HMAC from a message and secret key using SHA-1/256/384/512, as hex or Base64.
- Bcrypt Hash Generator & Checker Hash a password with bcrypt at an adjustable cost factor, or verify a password against a hash.
Related guides
- MD5 vs SHA-1 vs SHA-256: Which Hash Should You Use? MD5 and SHA-1 are broken โ but not for the reason most people think. Here's what each hash is for, why collisions matter, and which to actually use.
- Encoding vs Encryption vs Hashing: What's the Difference? Three words that get mixed up constantly โ and confusing them causes real security bugs. Here's the clear distinction, with examples of each.
- What Is a JWT and How Does It Work? How JSON Web Tokens really work โ the header, payload and signature, what signing proves, and the security mistakes that bite teams.