
2026-07-01
MD5 vs SHA-256: Which Hash Function Should You Use in 2026?
Use SHA-256 for anything security-related; MD5 only for non-security checksums. Here's why MD5 broke, what collisions mean, and a decision table you can trust.
The one-line answer: use SHA-256 for anything involving security, and MD5 only for non-security checksums in legacy contexts. MD5 has been cryptographically broken for two decades. But "broken" has a precise meaning worth understanding, because MD5 still appears everywhere and is not always wrong to use.
What a hash function does
A hash function turns any input — a password, a file, a 4 GB video — into a fixed-size fingerprint. The same input always gives the same hash; a one-character change produces a completely different one. Crucially, the function is one-way: computing a hash is instant, but finding an input that produces a given hash should be infeasible.
| MD5 | SHA-1 | SHA-256 | SHA-512 | |
|---|---|---|---|---|
| Output size | 128-bit (32 hex) | 160-bit (40 hex) | 256-bit (64 hex) | 512-bit (128 hex) |
| Year | 1992 | 1995 | 2001 | 2001 |
| Collisions found? | Yes — in seconds | Yes — 2017 | No | No |
| Security verdict | Broken | Deprecated | ✅ Standard | ✅ Standard |
What "broken" actually means
MD5's fatal flaw is collisions: two different inputs producing the same hash. Researchers demonstrated MD5 collisions in 2004; today they can be generated in seconds on a laptop. Why that matters: an attacker can craft a malicious file with the same MD5 as a legitimate one — same fingerprint, different contents. The Flame malware (2012) used exactly this to forge Microsoft code signatures.
SHA-1 followed in 2017, when Google's "SHAttered" attack produced two different PDFs with identical SHA-1 hashes. Browsers and certificate authorities dropped it immediately. SHA-1 survives mainly inside git, where it identifies commits — a context where crafted collisions are impractical to exploit.
Where MD5 is still fine
Collisions require an attacker crafting inputs. When no adversary is involved, MD5 still works:
- Accidental-corruption checksums — verifying a download completed correctly
- Cache keys and deduplication — detecting identical files quickly
- Legacy system compatibility — matching what an old system already stores
For these, MD5's speed is a feature. Generate one with our MD5 Generator.
Where you must use SHA-256 (or better)
- File integrity against tampering — release checksums, forensics
- Digital signatures and certificates — the entire TLS ecosystem runs on SHA-256
- API signatures — use HMAC-SHA256, which adds a secret key
- Anything an attacker might target
Compute one instantly with our SHA-256 Generator — or SHA-512, which is equally secure and often faster on 64-bit CPUs.
The special case: passwords
Neither MD5 nor plain SHA-256 is right for storing passwords — both are too fast, letting attackers test billions of guesses per second. Password storage needs deliberately slow, salted algorithms: bcrypt, scrypt or Argon2. If you are checking whether a password has already leaked, use our Password Leak Checker instead.
Frequently asked questions
Can SHA-256 be reversed or cracked? No practical attack exists. Brute-forcing a 256-bit space would outlast the universe. Weak inputs (short passwords) can still be guessed — that is dictionary attacking, not breaking the hash.
Is SHA-512 more secure than SHA-256? Both are unbroken. SHA-512 has a larger security margin and is often faster on 64-bit hardware; SHA-256 has broader ecosystem support. Either is a sound choice.
Why does git still use SHA-1? History and inertia — plus git's threat model makes collision attacks impractical. Git has been migrating toward SHA-256 object formats since 2020.
What about SHA-3? A different internal design (Keccak, standardised 2015) held in reserve. SHA-2 remains unbroken, so SHA-3 adoption stays niche.