ToolSec

๐Ÿ” Crypto & Encoding

What Is a Hash Function?

ยท 6 min read ยท Updated June 27, 2026

Hashing underpins huge parts of computing โ€” from verifying downloads to storing passwords to powering blockchains. Yet "hash" gets used loosely. This guide explains what a hash function really is and the properties that make it so useful.

What is a hash function?

A hash function takes an input of any size โ€” a word, a file, a whole database โ€” and produces a fixed-size output called a hash or digest. Hash "Hello" with SHA-256 and you get a 64-character hex string; hash an entire movie and you get a string of exactly the same length. The output is a compact fingerprint of the input.

The properties that matter

A cryptographic hash function has several key properties:

  • Deterministic. The same input always produces the same output.
  • Fixed-size output. Any input maps to a digest of the same length.
  • Avalanche effect. A tiny change in the input โ€” even one bit โ€” produces a completely different output.
  • One-way (preimage resistance). Given a hash, you can't feasibly work backward to the input.
  • Collision resistant. It's infeasible to find two different inputs that produce the same hash.

Try the avalanche effect yourself: hash "hello" and "hellp" in our hash generator and notice the digests share nothing in common.

Hashing is not encryption

A common confusion: hashing is one-way and keyless, while encryption is reversible with a key. You hash data to verify it; you encrypt data to protect and later recover it. There's no "unhash" operation. We unpack this fully in encoding vs encryption vs hashing.

What hashes are used for

  • Integrity checks. Publishers list a file's hash so you can confirm your download wasn't corrupted or tampered with.
  • Deduplication and indexing. Hashes make fast keys and detect identical data without comparing it byte by byte.
  • Digital signatures. You sign the hash of a document rather than the whole thing.
  • Message authentication. Combined with a key, hashing becomes HMAC.
  • Password storage โ€” but with an important twist (below).

The password exception

For storing passwords you need a slow hash, not a fast one. General-purpose hashes like SHA-256 are deliberately fast, which helps attackers brute-force a leaked database. Password hashing uses purpose-built, salted, slow algorithms like bcrypt, scrypt or Argon2. See bcrypt vs SHA-256 for why this matters.

Which hash should you use?

For security, use SHA-256 or SHA-512. Avoid MD5 and SHA-1 for anything adversarial โ€” they're broken for collision resistance, though still fine for non-security checksums. Our MD5 vs SHA-1 vs SHA-256 guide compares them in detail.

Try it

Compute MD5, SHA-1, SHA-256, SHA-384 and SHA-512 of any text with our hash generator, and for keyed authentication explore the HMAC generator.

Frequently asked questions

What is a hash function in simple terms?

A function that turns any input into a fixed-size fingerprint (the hash). The same input always gives the same hash, a tiny change gives a completely different one, and you can't reverse it back to the input.

Is hashing the same as encryption?

No. Hashing is one-way and keyless โ€” you can't recover the input. Encryption is reversible with a key. You hash to verify data and encrypt to protect and later recover it.

Can two different inputs have the same hash?

In theory yes (a collision), but for a strong hash like SHA-256 it's computationally infeasible to find one. Weak hashes like MD5 and SHA-1 have known collision attacks, which is why they're avoided for security.

Try the related tools

Related guides