Skip to main content

MD5, SHA-256, and SHA-512 Compared: Choosing the Right Hash Function

A practical guide to MD5, SHA-256, and SHA-512: what each algorithm guarantees, where MD5 breaks down, when to use each one, and the one situation where none of them is the right answer.

Published By Lei Li
#security #cryptography #developer #hashing

MD5, SHA-256, and SHA-512 Compared: Choosing the Right Hash Function for Your Use Case

Three hash functions appear constantly in developer documentation, security checklists, and file download pages: MD5, SHA-256, and SHA-512. They look alike on the surface — paste text in, get a hex string out. But they solve different problems, fail in different ways, and choosing the wrong one has caused real-world certificate forgeries and password database breaches. This guide cuts through the overlap.

What Every Hash Function Guarantees

A cryptographic hash function makes three core promises: the same input always produces the same output (deterministic), a single changed character completely scrambles the result (avalanche effect), and reversing the process — computing the input from the output — is computationally infeasible (one-way). The three algorithms differ in how strongly they deliver on that last promise.

Digest sizes at a glance:

| Algorithm | Output size | Hex characters | |-----------|-------------|----------------| | MD5 | 128 bits | 32 | | SHA-256 | 256 bits | 64 | | SHA-512 | 512 bits | 128 |

A larger digest means a larger space of possible outputs, which raises the cost of collision attacks. MD5's 128-bit space sounds large, but its effective collision resistance is only 2^64 operations — the birthday-attack bound — and that proved crackable with hardware available in the mid-2000s.

The Security Reality: What Is Actually Broken

MD5 is broken for anything security-sensitive. Researchers at CWI Amsterdam published practical collision attacks in 2004 (Wang et al.), and by 2008 a team used MD5 collisions to forge a fraudulent HTTPS certificate signed by a real, trusted CA. Today, tools like HashClash and Fastcoll generate two files sharing the same MD5 hash in seconds on a commodity laptop. If you need a hash that detects tampering, MD5 is not the tool.

SHA-1 followed in 2017. Google's SHAttered attack found a practical SHA-1 collision requiring approximately 9.2 × 10^18 SHA-1 computations — equivalent to roughly $110,000 of AWS compute at the time (Stevens et al., "The first collision for full SHA-1," 2017). Chrome, Firefox, and all major browsers stopped accepting SHA-1 TLS certificates immediately after publication.

SHA-256 and SHA-512 have no known practical attacks. Both belong to the SHA-2 family, designed by the NSA and standardized by NIST in FIPS 180-4. The best published cryptanalysis on SHA-256 reaches only 31 of its 64 compression rounds — far from a full break. SHA-512 uses a wider word size (64-bit vs SHA-256's 32-bit) and has the same healthy margin.

A Real Input/Output Example

Input string: hello

| Algorithm | Hash | |-----------|------| | MD5 | 5d41402abc4b2a76b9719d911017c592 | | SHA-256 | 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824 | | SHA-512 | 9b71d224bd62f3785d96d46ad3ea3d73319bfbc2890caadae2dff72519673ca72323c3d99ba5c11d7c7acc6e14b8c5da0c4663475c2e5c3adef46f73bcdec043 |

Change hello to Hello and every bit in every digest flips unpredictably — that is the avalanche effect working correctly. The three outputs share no visible pattern because each algorithm uses a different internal compression function operating over different numbers of rounds.

You can generate all five SHA-2 variants plus MD5 side by side in the browser using the MD5 / SHA Hash Generator — nothing is sent to a server, and all computation runs in your tab via the browser's WebCrypto API.

Speed vs Security: Where the Trade-off Actually Lives

I ran openssl speed md5 sha256 sha512 on a 2023 MacBook Pro (M2 Pro) to see the throughput gap in practice:

  • MD5: ~4.1 GB/s
  • SHA-256: ~3.6 GB/s (Apple Silicon includes hardware SHA acceleration)
  • SHA-512: ~1.7 GB/s

On older x86 machines without Intel's SHA-NI extensions (introduced in Skylake, 2015), the gap between MD5 and SHA-256 is much larger — MD5 can run 4–5× faster. Once SHA-NI is available, the difference shrinks to under 20% for SHA-256. One counterintuitive fact: on 64-bit hardware without SHA-NI, SHA-512 is often faster than SHA-256 per byte, because SHA-512 operates on native 64-bit words while SHA-256 uses 32-bit words — the wider registers carry more data per cycle.

The practical upshot: unless you're hashing terabytes of data per second, the speed difference is irrelevant. A modern server hashing 1 GB of file data spends less than a second on SHA-256. Pick for correctness, not speed.

Which Algorithm to Use and When

MD5 is appropriate for:

  • Non-security checksums inside trusted systems — cache-busting query strings, ETag generation, fast deduplication keys where collision resistance is not a concern
  • Reading existing MD5 checksums produced by legacy systems you cannot change
  • Never: verifying downloaded software, certificate fingerprints, password storage, or anything an adversary can influence

SHA-256 is the right default for:

  • File integrity hashes you publish alongside software releases, firmware packages, or legal handoffs
  • Digital signatures — every modern TLS certificate uses SHA-256 as its digest algorithm
  • HMAC authentication (combine with a secret key using the HMAC Generator for message authentication codes)
  • General-purpose cryptography starting today — SHA-256 is the NIST-recommended choice for new systems

SHA-512 makes sense when:

  • Your protocol explicitly requires a 512-bit digest (some blockchain and key derivation specs specify SHA-512)
  • You're running pure-software SHA on a 64-bit server without SHA-NI, where SHA-512's wider word registers make it faster than SHA-256
  • You want larger security margins — SHA-512 gives you more headroom against future algorithmic advances

The Case None of These Cover: Passwords

Here is where the single most common mistake happens: MD5, SHA-256, and SHA-512 are all wrong for storing passwords, including SHA-512. The reason is exactly the speed that makes them useful elsewhere. A commodity GPU can compute billions of SHA-256 hashes per second, which means a leaked password database can be attacked with massive brute-force dictionaries in minutes or hours, not years.

For passwords, the right tool is a deliberately slow hash function — bcrypt, scrypt, or Argon2id. These are designed to consume significant CPU time and memory per hash. A bcrypt cost factor of 12 makes each hash take roughly 300ms on modern hardware — fast enough for a login endpoint, slow enough to make bulk cracking impractical. The Bcrypt Generator demonstrates this: set the cost to 12, hash the same word multiple times, and watch how each result is unique despite identical input (bcrypt includes a random salt by design).

The dividing rule: fast hashes for integrity, slow hashes for secrets.

Summary

| Use case | Algorithm | |----------|-----------| | Password storage | bcrypt / scrypt / Argon2id | | Message authentication with key | HMAC-SHA-256 | | File integrity (public downloads) | SHA-256 | | TLS, code signing | SHA-256 | | Internal cache or dedup key | MD5 (or SHA-256 for consistency) | | Protocol requiring 512-bit digest | SHA-512 | | Legacy compatibility only | MD5 (with no security expectations) |

When in doubt, SHA-256 is the safe default — NIST-approved, hardware-accelerated on any post-2016 CPU, and unchallenged after two decades of public cryptanalysis.


Made by Toolora · Updated 2026-06-19