April 8, 2026 2 min readUpdated Apr 9, 2026

SHA-256 vs MD5 vs SHA-1: Which Hash Function to Use

hashingsecuritycryptographysha256md5

What Is a Cryptographic Hash Function?

A hash function takes an input of any length and produces a fixed-length output (the digest). Good hash functions are deterministic, fast to compute, pre-image resistant, and collision resistant.

MD5 — Fast but Broken

MD5 produces a 128-bit (32 hex character) hash.

echo -n 'hello' | md5sum
# 5d41402abc4b2a76b9719d911017c592

Status: Cryptographically broken. Collision attacks against MD5 are practical — attackers can generate two different files with the same MD5 hash in seconds. MD5 was fully broken by 2004.

Still acceptable for: Non-security checksums where you control both ends.

Never use for: Password hashing, digital signatures, or any security-sensitive context.

SHA-1 — Deprecated

SHA-1 produces a 160-bit (40 hex character) hash.

echo -n 'hello' | sha1sum
# aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d

Status: Deprecated. A practical collision attack was demonstrated in 2017 (SHAttered). Major browsers retired SHA-1 for TLS in 2017.

Never use for: New TLS certificates, code signing, password hashing.

SHA-256 — The Current Standard

SHA-256 produces a 256-bit (64 hex character) hash.

echo -n 'hello' | sha256sum
# 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824

Status: Secure. The current standard for TLS signatures, HMAC, JWTs, and blockchain.

Password Hashing — Use Neither

None of these are appropriate for passwords. MD5, SHA-1, and SHA-256 are all fast — which is exactly what you do not want for passwords. Use a dedicated slow hashing algorithm:

bcrypt — widely supported, good default
Argon2id — OWASP recommended
scrypt — memory-hard

const bcrypt = require('bcrypt');
const hash = await bcrypt.hash(password, 12); // cost factor 12
const match = await bcrypt.compare(input, hash);

Quick Comparison

Algorithm	Output Size	Security	Use Case
MD5	128 bits	Broken	Non-security checksums only
SHA-1	160 bits	Deprecated	Legacy systems only
SHA-256	256 bits	Secure	General purpose hashing
bcrypt / Argon2	Variable	Secure	Password hashing

Try It Instantly

The free Hash Generator on konvertio.app lets you generate MD5, SHA-1, SHA-256, and SHA-512 hashes instantly — right in your browser.