← All articles · May 2, 2026 · fmt.hjlabs.in

Hash Functions Explained: MD5, SHA-1, SHA-256 in Practice

Hash functions are everywhere in modern software — checksums, password storage, content addressing, blockchain. But "use SHA-256 for everything" is bad advice. Different hash functions exist for different purposes. Here's the 2026 guide.

What a hash function does

Takes any-size input. Returns a fixed-size output (the "hash" or "digest"). The same input always gives the same output. A tiny input change produces a totally different output (the "avalanche effect").

Properties we want from cryptographic hashes

  1. Pre-image resistance: given hash, can't find input
  2. Second pre-image resistance: given input, can't find different input with same hash
  3. Collision resistance: can't find any two inputs with same hash

The major hash functions in 2026

MD5 (1992)

SHA-1 (1995)

SHA-256 (2001, SHA-2 family)

SHA-512 (2001)

SHA-3 / Keccak (2015)

BLAKE3 (2020)

bcrypt / scrypt / Argon2 (password hashes)

Speed comparison (1GB input, modern CPU)

AlgorithmTimeStatus
MD51.2sBroken for crypto
SHA-11.8sBroken for crypto
SHA-2563.4sSecure
SHA-5122.4sSecure
BLAKE30.4sSecure, modern

Common use cases and the right hash

File integrity check (downloaded a file, want to verify)

SHA-256 is the modern default. SHA-1 still appears (Git, older Linux distros) but is weak.

Password storage

NEVER use raw cryptographic hashes (SHA-256, MD5). Use Argon2id, bcrypt, or scrypt with a salt.

Cache key / database deduplication

MD5 or xxHash are fine — speed matters more than collision resistance. CRC32 also works for small data.

Content-addressable storage (Git, IPFS)

SHA-256 or BLAKE3. Git is migrating to SHA-256.

Digital signatures (JWT, TLS)

SHA-256 paired with RSA or ECDSA. SHA-512 if you need extra margin.

Blockchain (proof of work)

SHA-256 (Bitcoin), Keccak-256 (Ethereum), Scrypt (Litecoin), Equihash (Zcash).

Generating an ID from content

SHA-256 truncated to 16 bytes is fine. Or use a UUIDv5 with a namespace.

Generating hashes in different languages

// JavaScript
const hash = await crypto.subtle.digest('SHA-256', new TextEncoder().encode(text));
const hex = Array.from(new Uint8Array(hash)).map(b => b.toString(16).padStart(2, '0')).join('');

# Python
import hashlib
hashlib.sha256(text.encode()).hexdigest()

// Go
import "crypto/sha256"
hash := sha256.Sum256([]byte(text))

# Bash
echo -n "text" | sha256sum

HMAC: hash + secret key

HMAC-SHA256 is the standard for message authentication. It combines a secret key with a message and produces a tag — anyone with the key can verify, no one else can forge.

import hmac, hashlib
sig = hmac.new(secret, message, hashlib.sha256).hexdigest()

Used by: webhooks (Stripe, GitHub), JWT HS256, AWS SigV4.

Why "just use SHA-256 with salt for passwords" is wrong

SHA-256 is fast — billions of hashes per second on a GPU. Even with salt, an attacker with your hash database can crack 8-character passwords in hours.

Argon2id is intentionally slow (configurable to 100ms+ per hash) and uses lots of memory, defeating GPU/ASIC attacks.

Tools

Bottom line

Default to SHA-256 for cryptographic needs. Use Argon2id for passwords. Use BLAKE3 when speed matters. Use MD5 only for non-security checks. Never use SHA-1 for new code.

Try the free dev tools suite

15+ tools. 100% client-side. No signup. No tracking.

Browse all tools →

More from the blog