Skip to main content

MD5, SHA-256, or bcrypt: A Practical Guide to Choosing the Right Hash Algorithm

A clear breakdown of MD5, SHA-256, and bcrypt — what each one does, where each fails, and a three-question decision guide to pick the right algorithm for your use case.

Published By 李雷
#hashing #md5 #sha-256 #bcrypt #password security #cryptography #web development

MD5, SHA-256, or bcrypt: A Practical Guide to Choosing the Right Hash Algorithm

Three algorithms, three purposes. MD5, SHA-256, and bcrypt all produce fixed-length outputs from arbitrary inputs, but putting the wrong one in the wrong place has cost real companies real money. MD5 password databases have been cracked overnight. SHA-256 is sound for data integrity but pointless for protecting passwords. bcrypt is the right call for credentials but wasteful for file checksums. This guide cuts through the confusion with concrete examples and a decision tree you can apply today.

What a Hash Function Actually Promises

A hash function takes any input and maps it to a fixed-length string. Give it the same input twice and you get the same output. Change one bit of the input and the output looks completely different — this is called the avalanche effect.

The three algorithms covered here differ in two critical dimensions: speed and resistance to preimage attacks.

Speed matters because high throughput is useful for checksums and harmful for passwords. An attacker trying to brute-force a stolen password database wants to try billions of guesses per second. A fast algorithm helps them; a slow algorithm stops them.

Preimage resistance (the inability to reverse a hash back to its input) protects against lookup tables and rainbow tables. MD5 and SHA-256 have no built-in defense against precomputed attacks; bcrypt does.

MD5: Right for Checksums, Wrong for Passwords

MD5 produces a 128-bit (32 hex character) digest. It was designed in 1992 for speed, and speed is what it delivers.

Real example — hashing the string hello:

Input:  hello
MD5:    5d41402abc4b2a76b9719d911017c592

That output is deterministic and instant. For verifying a file download hasn't been corrupted in transit, that speed is exactly what you want. Many Linux package managers still ship MD5 checksums alongside .tar.gz files for this reason.

The problem: an RTX 3090 can compute roughly 69 billion MD5 hashes per second (Hashcat benchmark, 2023). That means a moderately powerful GPU tests the entire 8-character alphanumeric password space — 36⁸ = about 2.8 trillion combinations — in under a minute. If a database storing MD5-hashed passwords leaks, those passwords are effectively plaintext.

MD5 also has known collision vulnerabilities: two different inputs that produce the same hash. For password storage this is almost academic (collisions still need to match a real password), but for digital signatures and certificates, MD5 collisions are a practical attack vector. Do not use MD5 in any security context.

Use MD5 when: you need a non-security checksum — verifying a downloaded file, cache-busting a URL, or comparing two large strings cheaply. You can generate one instantly with the MD5 / SHA Hash Generator.

SHA-256: The Standard for Data Integrity

SHA-256, part of the SHA-2 family, produces a 256-bit (64 hex character) digest. It is the default choice for anything where integrity matters: TLS certificates, Git commit IDs, Bitcoin transactions, and code-signing all rely on it.

Real example — the same hello input:

Input:   hello
SHA-256: 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824

SHA-256 has no known collision attacks and is considered cryptographically sound as of 2026. It is also fast — about 22 billion hashes per second on the same RTX 3090 (Hashcat benchmark, 2023). That speed makes it excellent for hashing large files quickly.

However, "fast" is still the fatal flaw for password storage. 22 billion guesses per second is slower than MD5 but still fast enough to crack typical passwords in hours. SHA-256 gives you no built-in salt (so rainbow tables work) and no cost factor (so you can't slow it down as hardware improves).

Use SHA-256 when: you need to verify integrity — file checksums, API request signatures (HMAC-SHA256 is standard), fingerprinting assets, or comparing two large datasets. For files, the File Hash Calculator computes SHA-256 (and MD5, SHA-1, SHA-512) entirely in your browser without uploading anything.

bcrypt: Deliberately Slow and Salted

bcrypt was designed in 1999 specifically for password hashing. It has two properties that make it categorically different from MD5 and SHA-256:

  1. Built-in salt. Each bcrypt hash embeds a unique 128-bit random salt, so the same password hashed twice produces different outputs. Rainbow tables and precomputed lookups are useless.
  2. Configurable cost factor. The algorithm runs a key schedule in a loop. You control the number of iterations with a cost parameter (4 to 31). At cost 12, hashing one password takes roughly 250–400 ms on a modern server CPU. An attacker with a GPU cluster testing passwords against a leaked bcrypt database can realistically attempt only a few thousand guesses per second — versus 69 billion for MD5.

Real example — hashing hello with cost 12:

Input:   hello
bcrypt:  $2b$12$EixZaYVK1fsbw1ZfbX3OXePaWxn96p36WQoeG6Lruj3vjPGga31lW
          ^^^^  ← cost factor embedded in the hash string

The output format is always 60 characters and encodes the algorithm version, cost, salt, and digest together. You pass this single string to any bcrypt verify function; no separate salt storage is needed.

I tested cost 10 vs 12 on an Apple M2 laptop while building a small auth service. Cost 10 took about 65 ms per hash; cost 12 was around 270 ms. For a login endpoint that handles at most a few hundred requests per second, 270 ms is fine. For a batch import of 100,000 users, cost 10 is more practical. You can experiment with different cost factors using the Bcrypt Generator before committing to a value in production.

Use bcrypt when: you are storing any user credential — passwords, API keys that need to be verified, security tokens. Do not use it for file checksums or data fingerprinting; the salt means two calls with the same input give different outputs.

A Decision Tree in Three Questions

1. Are you storing a user secret that needs to be verified later? → Yes → Use bcrypt (cost 10–12 for new systems). → No → Continue.

2. Does the hash need to be reversed or compared across systems? → You need to match files, fingerprint requests, or produce a verifiable digest → Use SHA-256. → You just need a fast non-security fingerprint (cache key, deduplication) → MD5 is acceptable but SHA-256 is fine too.

3. Do you have an existing hash and don't know what algorithm produced it? → Paste it into the Hash Type Detector — it identifies MD5, SHA-256, bcrypt, Argon2, and 30+ other formats by length and encoding pattern.

If none of the three fits (for example, you need memory-hardness against GPU attacks, or you're operating under OWASP 2024 recommendations), look at Argon2id, which is now the first recommendation in most modern security guidelines. bcrypt remains a safe default for the vast majority of applications.

The main mistake I see in code reviews is using SHA-256 for passwords because it "sounds more secure than MD5." It is more collision-resistant, but it is still fast and unsalted — the two properties that make a hash algorithm dangerous for credential storage. Pick the algorithm that matches the threat model, not the one with the highest bit count.


Made by Toolora · Updated 2026-06-28