MD5 vs SHA-256 — Which Hash Function Should You Use?
Compare MD5 and SHA-256 cryptographic hash functions. Understand security vulnerabilities, speed differences, and which to use for passwords, files, and checksums.
| Feature | MD5 | SHA-256 |
|---|---|---|
| Output Length | 128 bits (32 hex chars) | 256 bits (64 hex chars) |
| Collision Resistance | Broken — practical attacks exist | No known practical attacks |
| Relative Speed | Very fast | Fast (slower than MD5) |
| Password Hashing | Never use | Not ideal alone — use bcrypt/Argon2 |
| File Checksums | Acceptable for corruption detection | Preferred for security |
| Digital Signatures | Not acceptable | Standard choice |
| TLS Certificates | Deprecated, rejected | Current standard |
| Compliance | Not compliant | NIST, FIPS approved |
Verdict
SHA-256 is the correct choice for any security-sensitive operation. MD5 is only acceptable for fast non-security checksums (detecting accidental file corruption in trusted environments). For password hashing, use neither — use bcrypt, scrypt, or Argon2 which are designed to be slow and have work factors.
The MD5 Collision Attack Explained
A collision attack means finding two different inputs M1 and M2 such that hash(M1) = hash(M2). For MD5, this became computationally feasible in 2004 and has been progressively cheaper since. In 2008, a team demonstrated creating two X.509 SSL certificates with different content but identical MD5 signatures, allowing them to forge a certificate authority signature. This real-world attack on certificate infrastructure is why all major browsers and CAs stopped accepting MD5-signed certificates years ago. Today, birthday attacks against MD5 can be performed in seconds on consumer hardware. For anything requiring collision resistance, MD5 is simply broken.
Why 'Fast' Is Bad for Password Hashing
MD5 and SHA-256 are both optimized to be fast. A modern NVIDIA GPU can compute 10-20 billion MD5 hashes per second and 4-8 billion SHA-256 hashes per second. This is catastrophic for password security: if an attacker steals a database of SHA-256 hashed passwords, they can attempt hundreds of millions of common passwords per second until they find matches. bcrypt was designed in 1999 specifically to be slow and configurable. Argon2, the 2015 Password Hashing Competition winner, adds memory-hardness (requiring gigabytes of RAM), making parallel GPU attacks economically infeasible. Always use these purpose-built algorithms for password storage.
Modern Hashing in Practice
Understanding which algorithm to use in practice: for TLS certificates and PKI, SHA-256 is the current standard (SHA-1 was deprecated in 2017 and SHA-384 is used for some high-assurance certificates). For digital code signing, SHA-256. For file integrity verification in software distribution (verifying you downloaded the right file), SHA-256. For data deduplication in storage systems where adversarial collision attacks are not relevant, SHA-1 or even MD5 may still appear in legacy systems. For API HMAC authentication, HMAC-SHA-256. For password storage: Argon2id (modern default), bcrypt (proven, widely supported), or scrypt. The answer is almost never plain SHA-256 for passwords.
Frequently Asked Questions
MD5 is broken because researchers have demonstrated practical collision attacks — the ability to create two different inputs that produce the same MD5 hash. In 2008, researchers used MD5 collisions to create a rogue SSL certificate. For file integrity in non-adversarial contexts (detecting download corruption), MD5 still works. For any security application, it's unacceptable.
No. SHA-256 is too fast — a modern GPU can compute billions of SHA-256 hashes per second, making brute-force attacks practical. Password hashing requires deliberately slow algorithms with work factors: bcrypt (tunable cost), scrypt (memory-hard), or Argon2 (winner of the Password Hashing Competition, recommended default).
Bitcoin uses SHA-256 in its proof-of-work mining algorithm. Miners must find a nonce value such that SHA-256(SHA-256(block_header)) produces a hash below a target value. This requires enormous computational effort but is easily verified, making it a useful consensus mechanism.
SHA-512 provides a larger 512-bit output (128 hex chars) and on 64-bit systems can actually be faster than SHA-256. For most purposes, SHA-256's security margin is sufficient. SHA-512 is useful when you need stronger collision resistance or are specifically designing for 64-bit performance-sensitive systems.
For software distribution and security-critical file verification, use SHA-256 or SHA-512. For internal data pipeline integrity checks where collision attacks are not a concern, MD5 or CRC32 are acceptable for their speed. Most modern package managers (npm, pip, apt) use SHA-256.