MD5 vs SHA-256: which hash should you use?
MD5 and SHA-256 are both general-purpose hash functions, but one is cryptographically broken and the other is the current workhorse. Here is when each is acceptable.
MD5Fast, broken legacy hash
vsSHA-256Secure modern hash
| MD5 | SHA-256 | |
|---|---|---|
| Output size | 128 bits (32 hex) | 256 bits (64 hex) |
| Speed | Faster | Fast |
| Collision-resistant | No (broken) | Yes |
| Safe for signatures | No | Yes |
| Acceptable use | Non-security checksums only | Integrity, signatures, addressing |
| Passwords | No | No (too fast — use bcrypt) |
Why MD5 is broken
Researchers can deliberately craft two different inputs with the same MD5 hash (a collision), and have for years. That destroys MD5 for any security purpose — signatures, certificates, deduplication of untrusted files.
It survives only as a fast checksum for detecting accidental corruption, where no attacker is involved.
Neither is for passwords
A key point both share: being fast makes them wrong for passwords. Use bcrypt, scrypt, or Argon2 there. See bcrypt vs SHA-256 for why.
The verdict
Use SHA-256 for anything security-related — integrity checks, signatures, content addressing. Use MD5 only as a fast checksum for accidental corruption, never for security. Generate both in the Hash Generator.
Frequently asked questions
- Is MD5 still safe to use?
- Not for anything security-related — it is collision-broken. It is only acceptable as a fast checksum to detect accidental data corruption.
- Is SHA-256 better than MD5?
- For security, decisively yes: it is collision-resistant and produces a longer hash. MD5 is only competitive on raw speed, which does not matter for integrity.
- Can I use SHA-256 for passwords?
- No — it is far too fast, letting attackers guess billions per second. Use a deliberately slow, salted hash like bcrypt or Argon2.
Try it yourself
Free, in-browser tools for everything above.