What Is a Hash? MD5, SHA-1 and SHA-256 Explained
A hash turns any input into a fixed-length fingerprint that can't be reversed. Here's what hashing is for, how MD5, SHA-1 and SHA-256 differ, and which you should actually use.
A hash function takes any input — a word, a file, a gigabyte of data — and produces a fixed-length string of characters called a digest. The same input always gives the same digest, but you can't run it backwards to recover the input. It's a one-way fingerprint.
What hashing is used for
- Integrity checks. Publish a file's hash, and anyone who downloads it can hash their copy and confirm it matches — proof nothing was corrupted or tampered with in transit.
- Deduplication and lookups. Identical content produces identical digests, so hashes make handy keys and duplicate detectors.
- Password storage (with important caveats — see below).
Hashing is not encryption
This trips people up constantly. Encryption is two-way — with the key, you get the original back. Hashing is one-way — there's no key and no "unhash." If a tool claims to decode a hash back to its input, it's really just looking the value up in a precomputed table of common inputs, not reversing the maths.
MD5 vs SHA-1 vs SHA-256
- MD5 (128-bit) — fast, but cryptographically broken: attackers can craft two different inputs with the same digest (a "collision"). Fine as a non-security checksum, unsafe for anything that must resist tampering.
- SHA-1 (160-bit) — also broken by practical collision attacks and now deprecated. Avoid for new work.
- SHA-256 (256-bit, part of the SHA-2 family) — the current sensible default. No practical collisions, widely supported, and used everywhere from TLS certificates to software signing.
The short version: use SHA-256 unless you have a specific reason not to, and treat MD5/SHA-1 as legacy checksums only.
A note on passwords
Plain SHA-256 is too fast for storing passwords — attackers can try billions of guesses per second. Password storage uses deliberately slow, salted algorithms like bcrypt, scrypt, or Argon2 instead. Hashing still matters there; it's just a different, purpose-built kind.
Try it
Generate MD5, SHA-1, and SHA-256 digests for any text with the free Hash Generator — it runs in your browser, so nothing you enter is transmitted.
Related developer & security tools
Hash Generator | Base64 Encoder / Decoder | JWT Decoder | All free tools