MD5 and SHA-256 are both cryptographic hash functions that take an input and produce a fixed-size output, but they differ dramatically in security, speed, and suitability for modern applications. MD5 was once the go-to hash for everything from file verification to password storage, but known vulnerabilities have relegated it to non-security contexts. SHA-256 remains the gold standard for cryptographic hashing, underpinning Bitcoin, TLS certificates, and digital signatures. This guide covers exactly when to use each one.
What Is a Hash Function?
A hash function maps arbitrary-length input data to a fixed-length output (the "digest" or "hash"). Good cryptographic hash functions have three key properties:
- Preimage resistance: Given a hash, it should be infeasible to find the original input.
- Second preimage resistance: Given an input, it should be infeasible to find a different input with the same hash.
- Collision resistance: It should be infeasible to find any two different inputs that produce the same hash.
MD5 fails collision resistance (and arguably second preimage resistance), while SHA-256 remains strong on all three properties. Try both algorithms with our MD5 Hash Generator and SHA-256 Hash Generator.
MD5 vs SHA-256: Comparison Table
| Feature | MD5 | SHA-256 |
|---|---|---|
| Published | 1992 (RFC 1321) | 2001 (NIST FIPS 180-4) |
| Designer | Ronald Rivest | NSA |
| Output size | 128 bits (32 hex chars) | 256 bits (64 hex chars) |
| Block size | 512 bits | 512 bits |
| Rounds | 64 (4 groups of 16) | 64 |
| Speed | ~600 MB/s (software) | ~250 MB/s (software) |
| Collision resistance | Broken (2004) | Secure |
| Preimage resistance | Weakened | Secure |
| Suitable for security | No | Yes |
Output Examples
Hashing the same input with both algorithms produces very different results. The most visible difference is the output length:
Input: "hello world"
MD5: 5eb63bbbe01eeed093cb22bb8f5acdc3
(32 hex characters = 128 bits)
SHA-256: b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9
(64 hex characters = 256 bits)The longer SHA-256 output means a vastly larger output space: 2^256 possible values versus 2^128 for MD5. This makes brute-force collision search exponentially harder. Even with the birthday paradox, finding a SHA-256 collision requires approximately 2^128 operations, while MD5 collisions can be found in seconds.
Security: Why MD5 Is Broken
MD5's collision resistance was first theoretically questioned in 1996 by Hans Dobbertin, then definitively broken in 2004 by Xiaoyun Wang and Hongbo Yu. Here is a timeline of MD5's security degradation:
- 1996: Dobbertin finds collisions in MD5's compression function (not the full hash, but a serious warning).
- 2004: Wang and Yu demonstrate practical collision attacks. Two different messages can produce the same MD5 hash.
- 2008: Researchers create a rogue SSL certificate using MD5 collisions, proving real-world exploitability.
- 2012: The Flame malware used an MD5 collision to forge a Microsoft digital signature, enabling it to spread via Windows Update.
- Today: MD5 collisions can be generated in under a second on a standard laptop. Tools like HashClash make this trivial.
SHA-256, by contrast, has no known practical attacks against any of its security properties. The best known attack against SHA-256 is a theoretical preimage attack reduced to 2^254.9 operations (versus the ideal 2^256), which remains computationally infeasible.
Speed Comparison
MD5 is roughly 2-3 times faster than SHA-256 in software implementations. This speed advantage is one reason MD5 remains popular for non-security tasks:
| Scenario | MD5 | SHA-256 |
|---|---|---|
| Small text (<1 KB) | ~0.001 ms | ~0.002 ms |
| 1 MB file | ~1.5 ms | ~4 ms |
| 1 GB file | ~1.5 s | ~4 s |
| Throughput (x86_64) | ~600 MB/s | ~250 MB/s |
Note that modern CPUs with SHA-NI (SHA Extensions) hardware acceleration can compute SHA-256 at speeds approaching or exceeding MD5 software speeds, narrowing this gap significantly. On ARM processors with crypto extensions (common in Apple Silicon and modern servers), SHA-256 is also hardware-accelerated.
When to Use Each Algorithm
Use MD5 For
- Non-cryptographic checksums: Verifying file integrity during transfers where tampering is not a concern (e.g., checking if a download completed correctly).
- Cache keys and deduplication: Generating quick hash keys for content-addressable storage or cache busting.
- Legacy system compatibility: When interfacing with older systems that require MD5 checksums.
- ETags and content hashing: HTTP ETags and similar identifiers where collision risk is acceptable.
Use SHA-256 For
- Digital signatures and certificates: TLS/SSL certificates, code signing, and document signatures all rely on SHA-256.
- Blockchain and cryptocurrency: Bitcoin mining, Merkle trees, and transaction hashing use SHA-256.
- File integrity in adversarial contexts: When you need to verify that a file has not been tampered with by a malicious actor.
- HMAC and key derivation: SHA-256 is used in HMAC-SHA256 for API authentication and in HKDF for deriving encryption keys.
- Git commit hashes: Git is migrating from SHA-1 to SHA-256 for object hashing.
Neither Is Ideal for Password Hashing
A common misconception is that SHA-256 should replace MD5 for password storage. In reality, neither MD5 nor SHA-256 is appropriate for hashing passwords. Both are designed to be fast, which is the opposite of what you want when an attacker is trying to brute-force password hashes.
Instead, use purpose-built password hashing functions:
- bcrypt: Adaptive cost factor, widely supported, battle-tested since 1999.
- scrypt: Memory-hard, resistant to GPU and ASIC attacks.
- Argon2: Winner of the Password Hashing Competition (2015), configurable memory, time, and parallelism costs.
What About Keccak256?
If you work with Ethereum, you may wonder where Keccak256 fits in. Keccak256 is a variant of SHA-3 (the same family that won the NIST hash function competition). It is different from both MD5 and SHA-256. Ethereum chose Keccak256 over SHA-256 because it uses a fundamentally different construction (sponge construction vs Merkle-Damgård), providing diversity in cryptographic assumptions.
For Ethereum development, use our Keccak256 Hash Generator. For general-purpose secure hashing, SHA-256 remains the standard choice.
Frequently Asked Questions
Is MD5 still safe to use?
MD5 is not safe for any security-critical purpose. It has known collision vulnerabilities since 2004, and practical collision attacks can be performed in seconds on modern hardware. However, MD5 is still acceptable for non-security uses like checksums for data integrity verification (when not under adversarial conditions), cache keys, and deduplication.
Why is SHA-256 slower than MD5?
SHA-256 is slower because it performs 64 rounds of compression (vs 64 simpler rounds in MD5), operates on 32-bit words with more complex operations, and produces a 256-bit output (vs 128-bit). This additional computation is what makes SHA-256 far more resistant to collision and preimage attacks.
Can you reverse an MD5 or SHA-256 hash?
Hash functions are one-way by design and cannot be mathematically reversed. However, MD5 hashes of common strings can be found using rainbow tables or brute-force lookups. SHA-256 is much harder to attack this way due to its larger output space (2^256 possible values). Neither can be truly "reversed," but MD5 is far more vulnerable to practical lookup attacks.
Which hash does Bitcoin use?
Bitcoin uses SHA-256 (specifically double-SHA-256, or SHA-256d) for its proof-of-work mining algorithm. The block header is hashed twice with SHA-256, and miners compete to find a nonce that produces a hash below the target difficulty. SHA-256 was chosen for its security properties and resistance to length-extension attacks.
Should I use SHA-256 for password hashing?
No. While SHA-256 is cryptographically secure, it is too fast for password hashing. Attackers can test billions of SHA-256 hashes per second using GPUs. Instead, use purpose-built password hashing algorithms like bcrypt, scrypt, or Argon2, which are deliberately slow and memory-hard to resist brute-force attacks.
Try Our Hash Generators
Generate hashes instantly with our free online tools. Try the MD5 Hash Generator for quick checksums, the SHA-256 Hash Generator for cryptographic hashing, or the Keccak256 Hash Generator for Ethereum development.
Related Tools & Guides
- MD5 Hash Generator — Generate MD5 hashes from text input
- SHA-256 Hash Generator — Generate SHA-256 hashes from text or hex input
- Keccak256 Hash Generator — Generate Keccak256 hashes used by Ethereum
- What is Keccak256? — Learn how Keccak256 hashing works and why Ethereum uses it