Hash Generator Guide: MD5, SHA-1, SHA-256, and When to Use Each
A complete guide to hash generation: what cryptographic hashes are, how MD5/SHA-1/SHA-256 differ in security and speed, and why you should never use MD5 for passwords.
Hash Generator Guide: MD5, SHA-1, SHA-256, and When to Use Each
A hash generator takes any input — a password, a file, a string — and produces a fixed-length string called a hash (or digest). Hashes are fundamental to cryptography, data integrity, and password storage.
What Makes a Good Hash Function?
- One-way — you can compute hash(input) easily, but you can't recover input from hash
- Deterministic — same input always produces the same output
- Fixed length — regardless of input size, output is always the same length
- Collision-resistant — extremely unlikely for two different inputs to produce the same hash
- Avalanche effect — tiny input change → completely different output
The Algorithms Compared
| Algorithm | Output | Speed | Security | Use Case |
|---|---|---|---|---|
| MD5 | 128-bit (32 hex chars) | Very fast | ⚠️ Broken | File checksums only (not passwords) |
| SHA-1 | 160-bit (40 hex chars) | Fast | ⚠️ Deprecated | Legacy systems only |
| SHA-256 | 256-bit (64 hex chars) | Medium | ✅ Safe | Passwords, digital signatures |
| SHA-384 | 384-bit (96 hex chars) | Slower | ✅ Safe | High-security applications |
| SHA-512 | 512-bit (128 hex chars) | Slowest | ✅ Safe | Maximum security needs |
Why MD5 Is Dangerous for Passwords
MD5 was cracked in 2004 — attackers can create two different inputs with the same hash (collision attack). By 2012, Stuxnet used MD5 collisions to forge Windows certificates.
// ❌ Never store passwords this way
const hash = md5(password); // Crackable in milliseconds with rainbow tables
// ✅ Use SHA-256 with a salt
const hash = sha256(password + unique_salt);
Common Real-World Uses
1. File Integrity Checksums
# Downloaded a file? Verify its hash
sha256sum large-file.zip
# Compare against the hash published on the website
2. Password Storage (with salt)
// PHP / Laravel
$hash = hash('sha256', $password . $env_salt);
3. Digital Signatures & Blockchain
Bitcoin uses SHA-256. Ethereum uses Keccak-256 (SHA-3 family).
4. Git Commits
Every Git commit is identified by a SHA-1 hash of its contents.
The SHA Family Explained
The SHA family was designed by the NSA:
- SHA-1 — 160 bits. Deprecated by Google, Chrome, Firefox. Should not be used for anything new.
- SHA-256 — 256 bits. The current standard for most security applications.
- SHA-384/512 — Longer hashes for financial, government, and military-grade security.
Quick Reference
| Input | MD5 | SHA-256 |
|---|---|---|
"hello" |
5d41402... |
2cf24db... |
"Hello" |
8b1a995... |
185f8db... |
"" |
d41d8cd... |
e3b0c44... |
Note how a single character change (hello → Hello) produces a completely different hash — that's the avalanche effect.
How to Generate Hashes
Generate MD5, SHA-1, SHA-256, SHA-384, or SHA-512 hashes instantly. All computation happens locally in your browser — nothing is sent to any server.
Toolblip Team
Writing about developer tools, web performance, and the tools that make building faster.