Hash Generator — MD5, SHA-1, SHA-256, SHA-512

Hash functions process input data through a series of complex mathematical transformations to produce a fixed-length digest. For SHA-256, any input — whether a single character or a gigabyte file — produces a 256-bit (32-byte) output, represented as 64 hexadecimal characters. The function is deterministic: the same input always produces the same hash. It is designed to be a one-way function: given the hash, it is computationally infeasible to reconstruct the original input. It also exhibits the avalanche effect: a single bit change in the input completely changes the hash output. These properties make hash functions useful for integrity verification, where you compare a computed hash against an expected hash to confirm data has not changed in transit or storage.

MD5 produces a 128-bit (32-character hex) digest and was widely used for checksums and password hashing in the 1990s and 2000s. However, MD5 is cryptographically broken: researchers have demonstrated practical collision attacks, meaning two different inputs can produce the same MD5 hash. SHA-1 produces a 160-bit (40-character hex) digest and was used in SSL certificates, Git commits, and code signing. SHA-1 was officially deprecated after Google's SHAttered attack in 2017 demonstrated a practical collision. Neither MD5 nor SHA-1 should be used for any new security-critical application such as digital signatures, certificate fingerprints, or password hashing. They remain acceptable for non-security uses such as file deduplication, caching keys, and non-cryptographic checksums where collision resistance is not required.

SHA-256 (part of the SHA-2 family) produces a 256-bit (64-character hex) digest and is the current industry standard for general cryptographic hashing. It is used in TLS certificates, code signing, blockchain (Bitcoin uses double SHA-256), HMAC authentication, and software distribution checksums. SHA-512 produces a 512-bit (128-character hex) digest and is slightly slower but provides a larger security margin. Both are considered secure against all known attacks. SHA-3 (Keccak) is a newer standard with a different internal design (sponge construction) that provides an alternative to SHA-2 for applications requiring algorithm diversity. For most web development use cases, SHA-256 provides the right balance of security, speed, and compatibility with existing systems and libraries.

When distributing software or large files, publishers compute a hash of the file and publish it alongside the download link. After downloading, users recompute the hash and compare it to the published value. If they match, the file arrived intact and unmodified. This process detects file corruption during transmission and tampering by a malicious server or intermediary. Common examples include Linux distribution ISO files published with SHA-256 checksums, npm package integrity hashes stored in package-lock.json, and Git's use of SHA-1 (transitioning to SHA-256) to identify every commit, tree, and blob in the repository. When verifying a downloaded file, always obtain the expected hash from the official source over a separate trusted channel — if both the file and the hash come from the same compromised server, verification provides no meaningful security guarantee.

A critical misconception is that SHA-256 is suitable for password storage. It is not. The problem is speed: SHA-256 can compute billions of hashes per second on commodity hardware with a GPU. An attacker with a database of SHA-256 password hashes can attempt billions of password guesses per second. For password storage, use purpose-built password hashing algorithms: bcrypt, scrypt, or Argon2. These algorithms are intentionally slow and memory-intensive, making brute-force attacks impractical. Argon2 (winner of the Password Hashing Competition) is the current best practice. bcrypt is widely supported and acceptable for existing systems. Always add a unique random salt to each password before hashing to prevent rainbow table attacks. Never use a plain cryptographic hash function such as MD5, SHA-1, or SHA-256 for storing passwords, even with a salt.