CyberCodeLab logo — neon green lab flask with terminal symbolCyberCodeLab
Side-by-side comparison of MD5 marked broken with warning symbol versus SHA-256 marked secure with shield — hash algorithm security comparison

2026-07-01

MD5 vs SHA-256: Which Hash Function Should You Use in 2026?

Use SHA-256 for anything security-related; MD5 only for non-security checksums. Here's why MD5 broke, what collisions mean, and a decision table you can trust.

The one-line answer: use SHA-256 for anything involving security, and MD5 only for non-security checksums in legacy contexts. MD5 has been cryptographically broken for two decades. But "broken" has a precise meaning worth understanding, because MD5 still appears everywhere and is not always wrong to use.

What a hash function does

A hash function turns any input — a password, a file, a 4 GB video — into a fixed-size fingerprint. The same input always gives the same hash; a one-character change produces a completely different one. Crucially, the function is one-way: computing a hash is instant, but finding an input that produces a given hash should be infeasible.

MD5SHA-1SHA-256SHA-512
Output size128-bit (32 hex)160-bit (40 hex)256-bit (64 hex)512-bit (128 hex)
Year1992199520012001
Collisions found?Yes — in secondsYes — 2017NoNo
Security verdictBrokenDeprecated✅ Standard✅ Standard

What "broken" actually means

MD5's fatal flaw is collisions: two different inputs producing the same hash. Researchers demonstrated MD5 collisions in 2004; today they can be generated in seconds on a laptop. Why that matters: an attacker can craft a malicious file with the same MD5 as a legitimate one — same fingerprint, different contents. The Flame malware (2012) used exactly this to forge Microsoft code signatures.

SHA-1 followed in 2017, when Google's "SHAttered" attack produced two different PDFs with identical SHA-1 hashes. Browsers and certificate authorities dropped it immediately. SHA-1 survives mainly inside git, where it identifies commits — a context where crafted collisions are impractical to exploit.

Where MD5 is still fine

Collisions require an attacker crafting inputs. When no adversary is involved, MD5 still works:

  • Accidental-corruption checksums — verifying a download completed correctly
  • Cache keys and deduplication — detecting identical files quickly
  • Legacy system compatibility — matching what an old system already stores

For these, MD5's speed is a feature. Generate one with our MD5 Generator.

Where you must use SHA-256 (or better)

  • File integrity against tampering — release checksums, forensics
  • Digital signatures and certificates — the entire TLS ecosystem runs on SHA-256
  • API signatures — use HMAC-SHA256, which adds a secret key
  • Anything an attacker might target

Compute one instantly with our SHA-256 Generator — or SHA-512, which is equally secure and often faster on 64-bit CPUs.

The special case: passwords

Neither MD5 nor plain SHA-256 is right for storing passwords — both are too fast, letting attackers test billions of guesses per second. Password storage needs deliberately slow, salted algorithms: bcrypt, scrypt or Argon2. If you are checking whether a password has already leaked, use our Password Leak Checker instead.

Frequently asked questions

Can SHA-256 be reversed or cracked? No practical attack exists. Brute-forcing a 256-bit space would outlast the universe. Weak inputs (short passwords) can still be guessed — that is dictionary attacking, not breaking the hash.

Is SHA-512 more secure than SHA-256? Both are unbroken. SHA-512 has a larger security margin and is often faster on 64-bit hardware; SHA-256 has broader ecosystem support. Either is a sound choice.

Why does git still use SHA-1? History and inertia — plus git's threat model makes collision attacks impractical. Git has been migrating toward SHA-256 object formats since 2020.

What about SHA-3? A different internal design (Keccak, standardised 2015) held in reserve. SHA-2 remains unbroken, so SHA-3 adoption stays niche.