What is a Hash Function?
A cryptographic hash function transforms any piece of data — a word, a file, a full database — into a fixed-length string of characters called a digest or hash.
Think of it like a fingerprint machine: feed it a document, get a unique fingerprint back. Change a single full stop in the document, and the fingerprint changes completely.
Key property: Hashing is deterministic (same input always gives same output) and one-way (you cannot reconstruct the input from the digest).
The Four Core Properties of a Cryptographic Hash
Deterministic
Same input always produces the same digest, every time.
Pre-image Resistant
Cannot reconstruct the original input from the digest.
Avalanche Effect
Even a tiny input change produces a completely different digest.
Collision Resistant
Computationally infeasible to find two different inputs with the same digest.
The Major Hash Algorithms
MD5 (1992)
MD5 produces a 128-bit (32 hex character) digest. It was the internet’s default checksum algorithm for over a decade.
Status: ⚠️ Cryptographically broken
Researchers demonstrated practical collision attacks against MD5 in 2004. By 2008, forged SSL certificates were produced using MD5 collisions. It should never be used for security purposes today.
✅ Still acceptable for: non-security checksums, deduplication, legacy system compatibility.
SHA-1 (1995)
SHA-1 produces a 160-bit (40 hex character) digest. It replaced MD5 as the web’s default for SSL certificates and Git commit IDs.
Status: ⚠️ Cryptographically broken
Google’s SHAttered attack (2017) produced the first SHA-1 collision — two different PDF files with the same SHA-1 hash. Major browsers and CAs now reject SHA-1 certificates.
✅ Still used in: Git (being phased out), legacy systems. Git uses SHA-1 for object IDs where collision exploitability is low due to other protections.
SHA-256 (2001)
SHA-256 produces a 256-bit (64 hex character) digest and is part of the SHA-2 family.
Status: ✅ Secure — current standard
SHA-256 underpins TLS 1.3, Bitcoin’s proof-of-work, HTTPS certificates, and most modern security infrastructure. No practical attacks exist against it.
SHA-384 (2001)
SHA-384 produces a 384-bit (96 hex character) digest, also part of the SHA-2 family. It’s a truncated version of SHA-512 with different initial hash values.
Status: ✅ Secure
Used in TLS for cipher suites requiring stronger guarantees, and in some government / financial applications. Slightly slower than SHA-256 but offers a wider security margin.
SHA-512 (2001)
SHA-512 produces a 512-bit (128 hex character) digest — the widest of the SHA-2 family.
Status: ✅ Secure — strongest SHA-2
On 64-bit CPUs, SHA-512 can actually be faster than SHA-256 due to wider registers. Used in high-security contexts including DNSSEC, SSH key fingerprints, and digital signatures.
Quick Comparison Table
| Algorithm | Output bits | Hex length | Broken? | Use today? |
|---|---|---|---|---|
| MD5 | 128 | 32 chars | ✅ Yes | ❌ Not for security |
| SHA-1 | 160 | 40 chars | ✅ Yes | ❌ Not for security |
| SHA-256 | 256 | 64 chars | ❌ No | ✅ Yes (standard) |
| SHA-384 | 384 | 96 chars | ❌ No | ✅ Yes (high security) |
| SHA-512 | 512 | 128 chars | ❌ No | ✅ Yes (high security) |
Common Use Cases
File integrity verification. Download a file and compare its SHA-256 digest against the one published by the author. Any byte change — even a single bit flip — produces a completely different hash, making corruption and tampering immediately visible.
Password storage. Never store raw password hashes. Use an adaptive algorithm like Argon2id, bcrypt, or scrypt instead — they add a unique salt per password and apply thousands of iterations to make brute-force attacks slow regardless of hardware improvements.
Digital signatures. Hash the document first to get a fixed-size digest, then sign the digest with your private key. Recipients re-hash the document and verify the signature — this confirms both authenticity and integrity without needing to sign the full document.
Blockchain and proof of work. Bitcoin mining requires finding a nonce such that SHA-256(SHA-256(block + nonce)) starts with N leading zeros. The puzzle is computationally expensive to solve but trivially fast to verify — the asymmetry is what makes the system secure.
Data deduplication. Cloud storage providers hash every uploaded file. If two users upload the same file, the identical digest means only one copy is stored on disk — both accounts reference the same hash pointer, saving storage without exposing anyone’s data.
What Hashing Is NOT
Hashing is not encryption — you cannot decrypt a hash; encryption uses keys and is reversible. Not encoding — Base64 is reversible; hashing is not. Not suitable for secrets in transit — use TLS/HTTPS for transmission security.
Try It Yourself
echo -n "hello" | sha256sumUse the Hash Generator to compute MD5, SHA-1, SHA-256, SHA-384, and SHA-512 digests instantly — right in your browser, with no data sent to any server.