Hash Algorithm Comparison
| Algorithm | Output Length | Security Status | Speed |
|---|---|---|---|
| MD5 | 128 bits (32 hex chars) | Broken — collisions found in seconds | Fastest |
| SHA-1 | 160 bits (40 hex chars) | Broken — first collision published 2017 | Fast |
| SHA-256 | 256 bits (64 hex chars) | Secure — current standard | Moderate |
| SHA-512 | 512 bits (128 hex chars) | Secure — longer output | Moderate (faster on 64-bit CPUs) |
What Makes a Good Hash Function
Three properties matter. First, determinism: the same input always produces the same output. Second, avalanche effect: changing one bit of input changes roughly half the output bits. Third, pre-image resistance: given a hash, finding any input that produces it is computationally infeasible.
SHA-256 satisfies all three. MD5 fails the third — researchers generated two different PDF files with the same MD5 hash in 2012. Google produced a practical SHA-1 collision in 2017 (the "SHAttered" attack), requiring 9,223,372,036,854,775,808 SHA-1 computations.
Common Uses
File integrity: Download a file, hash it, compare with the publisher's hash. Git uses SHA-1 (migrating to SHA-256) for commit hashes. Passwords are stored as hashes — bcrypt or Argon2, never plain SHA-256, because those need deliberate slowness to resist brute force. Blockchain uses SHA-256 for mining proof-of-work.