Hashing Explained: MD5, SHA-256 and When to Use Them

Hashing sits behind a surprising amount of everyday technology — from checking that a downloaded file isn't corrupted to storing passwords safely. The terms (MD5, SHA-256, "checksum") sound intimidating, but the core idea is elegant and easy to grasp. This guide explains what hashing is, how it differs from encryption, and which algorithm to reach for.

What a hash function does

A hash function takes any input — a word, a document, an entire disk image — and produces a fixed-length string of characters called a hash or digest. The same input always produces the same hash, but even a tiny change to the input (a single letter) produces a completely different hash. Crucially, the process is one-way: you cannot reverse a hash back into the original data.

Think of it as a digital fingerprint. Two identical files share a fingerprint; two different files almost never do; and you can't reconstruct a person from their fingerprint.

Hashing is not encryption

This trips people up constantly. Encryption is reversible by design — with the right key, encrypted data turns back into the original. Hashing is deliberately not reversible; there is no key and no "unhash" operation. Encryption is for keeping data secret and then getting it back. Hashing is for verifying integrity and identity without ever needing the original back.

Two everyday uses

Why MD5 (and SHA-1) are broken

MD5 was once everywhere, but it is now considered broken for security. Researchers found ways to produce "collisions" — two different inputs that yield the same hash — which destroys the guarantee that a fingerprint is unique. SHA-1 has fallen the same way. Both are still occasionally fine as quick, non-security checksums to spot accidental corruption, but you should never rely on them where security matters.

Where SHA-256 fits

SHA-256, part of the SHA-2 family, is the modern default for general-purpose secure hashing. It has no known practical collisions and is widely trusted for file verification and digital signatures. One nuance: for passwords specifically, even SHA-256 on its own is too fast — attackers can try billions of guesses per second. Password storage should use a deliberately slow, salted algorithm designed for the job (such as bcrypt, scrypt or Argon2). SHA-256 is excellent for verifying files; password hashing is a specialised case.

Trying it out

The best way to build intuition is to experiment. Our hash generator computes MD5, SHA-1, SHA-256 and more from any text, right in your browser — change one character and watch the entire hash change. If you're thinking about passwords, pair this with a strong password generator and a manager rather than relying on hashing alone.

Key takeaways

Advertisement

Tools mentioned in this guide

Password Generator

Create strong, random passwords with a real strength meter.

Generators

Hash Generator

Generate MD5, SHA-1, SHA-256 and SHA-512 hashes.

Developer Tools