Understanding Hash Algorithms
A hash algorithm converts input data of any size into a fixed-length string of characters, called a hash digest. This process is deterministic (same input always produces the same output), one-way (you cannot reverse a hash to get the original data), and fast. Choosing the right hash algorithm depends on your specific use case, security requirements, and performance constraints.
The most critical factors when selecting a hash algorithm are output size, collision resistance, speed, and known vulnerabilities. This guide compares the most common algorithms and explains when each is appropriate.
Hash Algorithm Comparison Table
| Algorithm | Output Bits | Hex Chars | Speed | Collision Attacks | Recommended Use |
|---|---|---|---|---|---|
| MD5 | 128 | 32 | Fast | Broken (Wang et al 2004) | Legacy checksums only |
| SHA-1 | 160 | 40 | Fast | Broken (SHAttered 2017) | Avoid for signatures |
| SHA-256 | 256 | 64 | Good | Secure (no known attacks) | TLS/certificates/HMAC/signatures |
| SHA-512 | 512 | 128 | Faster on 64-bit | Secure (no known attacks) | Large file integrity, longer keys |
| SHA-3/Keccak-256 | 256 | 64 | Moderate | Secure (no known attacks) | Alternative when SHA-2 unavailable |
| RIPEMD-160 | 160 | 40 | Moderate | No known collisions | Bitcoin addresses |
MD5: Legacy Only
MD5 produces a 128-bit (32 hexadecimal character) hash. While fast, MD5 is cryptographically broken. In 2004, Wang et al. published a practical collision attack, proving that two different inputs could produce the same hash. Never use MD5 for security-sensitive applications like digital signatures or password hashing. Its only legitimate use today is for legacy systems that cannot be upgraded, or for non-security checksums where collision risk is acceptable.
SHA-1: Deprecated
SHA-1 produces a 160-bit (40 character) hash and was the standard for many years. However, the 2017 SHAttered attack demonstrated practical collision generation. Most modern browsers and systems have stopped accepting SHA-1 certificates. Do not use SHA-1 for new digital signatures, TLS certificates, or any security-critical application. It remains in use in Git for historical reasons, but this is transitioning toward SHA-256.
SHA-256: The Modern Standard
SHA-256 produces a 256-bit (64 character) hash and is the most widely recommended general-purpose cryptographic hash function. It powers TLS/SSL certificates, blockchain systems (Bitcoin uses double SHA-256), HMAC authentication, and digital signatures. SHA-256 has no known practical attacks and is expected to remain secure for decades. When in doubt, use SHA-256.
SHA-512: Extended Security
SHA-512 produces a 512-bit (128 character) hash. Interestingly, SHA-512 is often faster than SHA-256 on 64-bit processors because it operates on 64-bit words. Use SHA-512 when you need longer output length (for very large files, extremely high security margins, or when truncating to custom lengths). It is also slightly faster on modern systems, making it a good choice for performance-critical applications requiring top-tier collision resistance.
SHA-3: The Alternative
SHA-3 (also called Keccak) was selected by NIST in 2012 as the next-generation standard hash algorithm. It uses a different internal construction (sponge function) than SHA-2, providing additional theoretical security margins. SHA-3 is useful when you want to avoid relying exclusively on SHA-2, or when implementing systems that explicitly require diversity in cryptographic primitives. Performance is moderate-not as fast as SHA-256 on all platforms, but not prohibitively slower.
RIPEMD-160: Niche Use in Blockchain
RIPEMD-160 produces a 160-bit hash and is primarily known for its use in Bitcoin's address generation (SHA-256 followed by RIPEMD-160). It has no known collision attacks, but it is not as thoroughly analyzed as SHA-256. Use RIPEMD-160 only when your system explicitly requires it, such as Bitcoin wallet implementations.
Output Size and Birthday Attacks
Output length directly affects collision resistance. Birthday attacks become practical when the attacker can generate 2^(n/2) variants, where n is the bit length. For MD5 (128 bits), this is roughly 2^64 hashes-computationally feasible today. For SHA-256 (256 bits), this is 2^128 hashes-far beyond current capability. Longer output lengths provide exponentially stronger collision resistance.
When to Use Each Algorithm
File Integrity Verification
Use SHA-256 for verifying that downloaded files have not been corrupted or tampered with. Compute the hash of the downloaded file and compare it to the published hash. SHA-256 provides strong assurance that the file is authentic.
API Request Signatures
Use SHA-256 or SHA-512 with HMAC (see below) to sign API requests. This proves the request came from you and was not modified in transit. Never sign requests with a raw hash-always use HMAC or a proper digital signature algorithm.
Digital Certificates and TLS
Modern TLS certificates are signed with SHA-256. Older systems still use SHA-1, but all major browsers now reject SHA-1 certificates. When obtaining a certificate, ensure it is signed with SHA-256 or better.
Blockchain and Cryptocurrency
Bitcoin uses double SHA-256 (SHA-256 applied twice) to hash blocks and transactions. Ethereum uses Keccak-256 (SHA-3). These choices are protocol-specific and must be respected in implementations.
The Speed Paradox in Password Hashing
Never use raw SHA-256 for password hashing. While SHA-256 is fast for file integrity, this is precisely the problem with passwords. Fast hashing allows attackers to try billions of password guesses per second. Instead, use password-specific algorithms: bcrypt, scrypt, or Argon2. These are intentionally slow and memory-intensive, making brute-force attacks prohibitively expensive.
Pro Tip: If you are hashing passwords, do not use any general-purpose hash algorithm directly. Use bcrypt, Argon2, or scrypt. These algorithms include salt automatically and are designed to resist attacks.
HMAC: Using Hash Functions for Authentication
HMAC (Hash-based Message Authentication Code) combines a hash function with a secret key. HMAC-SHA256 or HMAC-SHA512 proves that a message was created by someone who knows the secret key and has not been modified. HMAC is appropriate for API authentication, request signing, and message authentication.
The formula is: HMAC = hash(key XOR outer_pad, hash(key XOR inner_pad, message)). You do not need to implement this-most programming languages provide HMAC libraries. Always use a cryptographically strong random key, and transmit HMAC signatures over secure channels (HTTPS).
Practical Guidance
- For new projects: Use SHA-256. It is secure, fast, and ubiquitous.
- For passwords: Use bcrypt, Argon2, or scrypt-never raw SHA.
- For API signatures: Use HMAC-SHA256.
- For certificates and TLS: Ensure SHA-256 is used by your certificate authority.
- For blockchain:
- Comply with the protocol's hash requirement (Bitcoin: SHA-256, Ethereum: Keccak-256).
- For legacy systems: MD5 and SHA-1 may still be in use but should be migrated away from.
Related Tools
Try the Hash Generator tool to compute SHA-256, SHA-512, and other hashes of your own data. For JWT tokens, use the JWT Decoder to inspect their structure and validate signatures.
Further Reading
Learn more about cryptographic security in the Hashing Guide and Web Security Guide.