MD5 vs SHA-256
MD5 is fast and ubiquitous but cryptographically broken. SHA-256 is the current standard. For anything security-related, the answer is always SHA-256.
For context on how hashing fits alongside encryption and encoding, see the complete guide to encryption, hashing, and encoding.
At-a-Glance Verdict
- Use SHA-256 for any security application: signatures, certificates, integrity checks with a security requirement.
- MD5 is acceptable only for non-security checksums where accidental corruption (not tampering) is the concern — and even then, SHA-256 is a better default.
- Neither should be used for passwords. Use bcrypt, scrypt, or Argon2.
- •Detecting accidental file corruption (not malicious tampering)
- •Non-security cache keys or deduplication fingerprints
- •Interfacing with legacy systems that only support MD5
- •Quick local lookups where speed matters and security is irrelevant
- •Any security requirement exists (signatures, auth, integrity)
- •Generating checksums for downloads or distribution
- •Building new systems (use SHA-256 as the default)
- •Blockchain, TLS, JWT, code signing, or certificate workflows
Key insight: MD5 is broken for security. SHA-256 is the current standard.
What is MD5?
MD5 (Message Digest Algorithm 5) was designed by Ron Rivest in 1991 as a fast, general-purpose cryptographic hash function. It produces a 128-bit (16-byte) hash value typically represented as a 32-character hexadecimal string. For over a decade it was the default choice for checksums, certificate fingerprints, and password storage.
In 2004, researchers demonstrated that MD5 is vulnerable to collision attacks — it is feasible to craft two different inputs that produce the same MD5 hash. By 2008, attackers had exploited MD5 collisions to forge SSL certificates from a rogue CA. MD5 was formally deprecated for security use by NIST and major standards bodies shortly after.
Despite its broken security status, MD5 remains common in legacy systems and non-security contexts. Its speed (it can hash gigabytes per second on modern hardware) and ubiquitous library support make it persist in codebases long after safer alternatives became available.
MD5 collision attacks are practical today
Generating an MD5 collision takes seconds on a laptop. Never use MD5 where two different inputs producing the same hash could cause a security problem.
What is SHA-256?
SHA-256 (Secure Hash Algorithm 256-bit) is part of the SHA-2 family, published by NIST in 2001. It produces a 256-bit (32-byte) hash typically represented as a 64-character hexadecimal string. SHA-256 is the foundation of modern cryptographic infrastructure — it underpins TLS certificates, Bitcoin, code signing, and countless other security systems.
No practical attacks against SHA-256 have been demonstrated. Its 256-bit output space means there are 2256 possible hash values — a number larger than the number of atoms in the observable universe. Brute-forcing a SHA-256 hash is computationally infeasible with any known technology.
SHA-256 is approximately 2x slower than MD5, but on modern CPUs with SHA-NI hardware acceleration, both are extremely fast. For most applications the difference is unmeasurable. For the rare case where you need something faster than SHA-256 at scale, BLAKE3 is a modern alternative that is faster while remaining secure.
SHA-256 is the recommended default
When in doubt, use SHA-256. It is collision-resistant, preimage-resistant, and universally supported. It is the hash algorithm used in TLS, Bitcoin, and most modern software distribution systems.
Key Differences
| Aspect | MD5 | SHA-256 |
|---|---|---|
| Output size | 128 bits (32 hex chars) | 256 bits (64 hex chars) |
| Collision resistance | Broken — practical attacks exist | Strong — no known attack |
| Speed | Very fast | Fast (with SHA-NI ~2x slower than MD5) |
| Security status | Deprecated for security use | Current standard |
| Common uses | Legacy checksums, cache keys, non-security fingerprints | TLS, blockchain, code signing, HMAC-SHA256, software distribution |
| Password use | Never — too fast, broken | Never directly — use bcrypt/Argon2 |
Never Use MD5 or SHA-256 Directly for Passwords
Both MD5 and SHA-256 are general-purpose hash functions designed to be fast. Fast hashing is exactly what an attacker needs to brute-force passwords. On a modern GPU, attackers can compute billions of MD5 hashes per second — and hundreds of millions of SHA-256 hashes per second.
For password storage, you need a key derivation function (KDF)specifically designed to be slow and memory-intensive. The recommended options are:
Widely supported, configurable cost factor, industry standard for decades.
Memory-hard, resistant to GPU attacks, used in many newer systems.
Winner of the Password Hashing Competition (2015). Recommended for new systems.
For a deeper understanding of how hashing relates to HMAC and authentication, see the hashing and HMAC guide.
Common Mistakes
Using MD5 for password hashing
MD5 is so fast that attackers can test billions of candidate passwords per second against an MD5 hash. Plain MD5 passwords have been cracked in seconds from breached databases countless times. Always use bcrypt, scrypt, or Argon2.
Trusting MD5 checksums for security
If a software distributor publishes only MD5 checksums, those checksums cannot guarantee the file has not been tampered with by a motivated attacker. An attacker can craft a malicious file with the same MD5 as the legitimate one. Insist on SHA-256.
Using raw SHA-256 without salting for passwords
Even SHA-256 is too fast for password hashing. Without a salt, identical passwords produce identical hashes (vulnerable to rainbow tables). Without key stretching, the hash is easily brute-forced on modern hardware. Use Argon2 or bcrypt.
Treating a hash as encryption
Hashing is one-way — you cannot decrypt a hash to recover the original data. If you need to recover the original data, use encryption (AES). Hashing stores a verification fingerprint, not the data itself.
Try It Yourself
Generate MD5, SHA-1, SHA-256, and SHA-512 hashes from any text, directly in your browser.
Frequently Asked Questions
Related Tools
Related Guides and Comparisons
Explore the Encryption Tools Hub for all related tools, guides, and comparisons in one place.