MD5 vs SHA-256: which hash should you use?
MD5 is fast but broken for security; SHA-256 is the modern default. Here's what each is good for, where MD5 is still fine, and what to use for passwords.
Software engineer and technical writer
When you need a hash, the choice usually comes down to MD5 or SHA-256. The short answer: use SHA-256 for anything that touches security, and reserve MD5 for quick, non-security checks only. Here is why, and where MD5 is still acceptable.
What each one produces
Both are hash functions: they take any input and produce a fixed-size digest.
- MD5 produces a 128-bit (32 hex character) digest. It is fast and was once
everywhere.
- SHA-256 produces a 256-bit (64 hex character) digest. It is part of the
SHA-2 family and is the modern default.
Why MD5 is unsafe for security
MD5 is broken in a specific, important way: it is vulnerable to collisions. A collision is when two different inputs produce the same hash. Researchers can now generate MD5 collisions cheaply, which means an attacker can craft a malicious file that has the same MD5 as a trusted one.
That makes MD5 unsuitable for anything where an attacker might try to fool you: digital signatures, certificate fingerprints, verifying that a download has not been tampered with, or deduplicating content where it matters. SHA-1 has the same problem and should also be avoided for security.
Where MD5 is still fine
MD5 is not useless. For non-security purposes it is still a reasonable, fast choice:
- A quick checksum to detect accidental corruption during a file copy or
transfer.
- A cache key or a fast way to spot whether two local files differ.
The line is simple: if an attacker has any reason to fool the check, do not use MD5. If you are only guarding against accidents, MD5 is fine.
When to use SHA-256
Use SHA-256 whenever the check needs to resist tampering:
- Verifying a download matches the publisher's posted hash.
- Fingerprinting data for integrity in a system someone might attack.
- Anywhere a standard or another team expects a secure hash.
To compare two hashes safely (for example, checking a downloaded file's SHA-256 against the published value), a comparison tool avoids the mistakes of eyeballing 64 characters.
A side-by-side comparison
| MD5 | SHA-256 | |
|---|---|---|
| Digest size | 128-bit (32 hex) | 256-bit (64 hex) |
| Speed | Very fast | Fast |
| Collision resistance | Broken | Secure (no practical attack) |
| Use for security | No | Yes |
| Good for | Accidental-corruption checks | Integrity and authenticity |
What about passwords?
Neither MD5 nor plain SHA-256 is the right tool for storing passwords. Both are too fast, which helps attackers brute-force them at scale. Password storage needs a deliberately slow, salted algorithm built for the job: bcrypt, scrypt, or Argon2. Hashing matters here, but the goal is different from a file checksum. For the bigger picture of how hashing fits alongside encoding and encryption, see encoding vs encryption vs hashing.
Key takeaways
- Use SHA-256 as the default for any hash that must resist tampering.
- MD5 is broken by collision attacks and is unsafe for security, but it is fine
for detecting accidental file corruption.
- SHA-1 has the same collision problem as MD5 and should be avoided for security.
- A collision is when two different inputs share the same hash; secure hashes
make this infeasible.
- For passwords, use a slow salted algorithm like bcrypt, scrypt, or Argon2, not
MD5 or plain SHA-256.
This article was prepared with AI-assisted drafting and reviewed by a human editor for accuracy, clarity, and relevance.
Frequently asked questions
Is MD5 still safe to use?+
Not for anything security-related. MD5 is vulnerable to collisions, so an attacker can craft two different inputs with the same hash. It is acceptable only for non-security checks like a quick file integrity check against accidental corruption.
Why is SHA-256 considered secure?+
SHA-256 produces a 256-bit digest and has no known practical collision attack. It is the current default for verifying integrity and authenticity, and it is widely supported across languages and platforms.
Should I use SHA-256 to store passwords?+
No, not on its own. Fast hashes like SHA-256 are too quick to brute-force. Use a slow, salted password hashing algorithm such as bcrypt, scrypt, or Argon2, which are designed specifically for storing passwords.
What does hash collision mean?+
A collision is when two different inputs produce the same hash output. A secure hash makes collisions infeasible to find. MD5 and SHA-1 have practical collision attacks, which is why they are unsafe for security use.