What Is Hashing? MD5, SHA-256, and Why They Matter for Security

What a Hash Function Does

A hash function takes any input — a word, a file, an entire database — and produces a fixed-length output called a hash, digest, or checksum. SHA-256 always produces a 256-bit (64 hexadecimal character) output, no matter if the input is one character or one gigabyte.

Three properties make hash functions useful for security.

Deterministic — The same input always produces the same output. Hash "hello" with SHA-256 and you always get 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824. Every time.

One-way — Given a hash output, it is computationally infeasible to find the original input. You cannot run SHA-256 "backwards." The only practical way to find the input for a given hash is to try possible inputs and hash them until you find a match.

Avalanche effect — A tiny change in the input creates a completely different output. Change one letter in a sentence, and the hash changes entirely — not slightly. This means you cannot partially reverse-engineer the input from the hash.

MD5 vs SHA-256 — The Important Difference

Both are hash functions, but they are not equally secure.

MD5 produces a 128-bit (32-character) hash. It was widely used for password hashing and file integrity in the 1990s. The problem: MD5 is cryptographically broken. Researchers have found collision attacks — ways to produce two different inputs with the same MD5 hash. This makes it unsuitable for security applications. Do not use MD5 for passwords or security-critical purposes.

SHA-256 is part of the SHA-2 family of hash functions. It produces a 256-bit hash and is considered cryptographically strong as of 2025. It is used in Bitcoin, SSL certificates, code signing, and virtually every modern security application.

MD5 is still used for non-security purposes — quick file checksums where the goal is detecting accidental corruption, not resisting deliberate attack. For anything security-related, use SHA-256 or better.

How Password Hashing Works

Websites do not store your password — they store a hash of it. When you log in, the website hashes the password you entered and compares it to the stored hash. If they match, you are authenticated.

This way, even if the database is stolen, attackers do not get plaintext passwords — they get hashes. To crack them, they have to guess passwords and hash each guess until they find a match. This is why long, random passwords are hard to crack — there are too many possibilities to guess efficiently.

Good systems add a unique random value (a salt) to each password before hashing, preventing attackers from cracking multiple hashes simultaneously using precomputed lookup tables (rainbow tables).

File Integrity Verification

Hashing is how you verify that a file has not been tampered with. When you download software, the download page often lists the SHA-256 hash of the expected file. After downloading, you hash the file yourself and compare. If the hashes match, the file arrived intact and unmodified.

Our Hash Generator produces MD5, SHA-1, SHA-256, and SHA-512 hashes for any text or file. Useful for verifying downloads, generating checksums, or understanding how different algorithms compare on the same input.