**By Dev Tools Weekly** | hashgenerator.co
MD5 vs SHA-1 vs SHA-256 vs SHA-512 — when to use each.
At a Glance
| Algorithm | Output | Speed | Secure? | Use In 2026 |
|---|---|---|---|---|
| **MD5** | 128-bit (32 hex) | ⚡ Very fast | ❌ Broken | Checksums only. Never for security. |
| **SHA-1** | 160-bit (40 hex) | ⚡ Fast | ❌ Broken | Legacy only. Migrate away. |
| **SHA-256** | 256-bit (64 hex) | 🔵 Moderate | ✅ Secure | **Default choice.** Most applications. |
| **SHA-384** | 384-bit (96 hex) | 🔵 Moderate | ✅ Secure | TLS, when extra margin wanted. |
| **SHA-512** | 512-bit (128 hex) | 🔵 Moderate | ✅ Secure | Large data, 64-bit systems. |
| **SHA-3-256** | 256-bit (64 hex) | 🔵 Moderate | ✅ Secure | When SHA-2 diversity needed. |
| **BLAKE2b** | Up to 512-bit | ⚡ Very fast | ✅ Secure | Performance-critical hashing. |
| **BLAKE3** | 256-bit (extensible) | ⚡⚡ Fastest | ✅ Secure | Modern replacement. Parallelizable. |
| **bcrypt** | 184-bit | 🐢 Slow (by design) | ✅ | **Password hashing.** |
| **Argon2** | Configurable | 🐢 Slow (by design) | ✅ | **Password hashing (best).** |
| **scrypt** | Configurable | 🐢 Slow (by design) | ✅ | Password hashing (memory-hard). |
The SHA Family Tree
SHA (1993) — Withdrawn
└── SHA-1 (1995) — 160-bit — BROKEN (collision found 2017)
SHA-2 (2001) — Still secure
├── SHA-224 — 224-bit (truncated SHA-256)
├── SHA-256 — 256-bit ★ MOST USED
├── SHA-384 — 384-bit (truncated SHA-512)
└── SHA-512 — 512-bit
└── SHA-512/256 — 256-bit (faster on 64-bit CPUs)
SHA-3 (2015) — Keccak-based, different internal design
├── SHA-3-224 — 224-bit
├── SHA-3-256 — 256-bit
├── SHA-3-384 — 384-bit
├── SHA-3-512 — 512-bit
└── SHAKE128/256 — Variable length output
When to Use What
✅ File Integrity / Checksums
Use: SHA-256 or BLAKE3
# Verify a download
sha256sum downloaded-file.tar.gz
MD5 is still common for checksums (not security-critical), but SHA-256 is better practice.
✅ Digital Signatures & Certificates
Use: SHA-256 (minimum), SHA-384, or SHA-512
- TLS certificates: SHA-256 is the standard
- Code signing: SHA-256 or SHA-384
- Git commits: SHA-256 (Git is migrating from SHA-1)
✅ Password Storage
Use: Argon2id (best), bcrypt, or scrypt — NEVER raw SHA/MD5
# ✅ Correct — use a password-specific hash
import bcrypt
hashed = bcrypt.hashpw(password.encode(), bcrypt.gensalt(rounds=12))
import hashlib
hashed = hashlib.sha256(password.encode()).hexdigest() # NO!
Why? SHA-256 is too fast. GPUs can test billions of SHA-256 hashes per second. bcrypt/Argon2 are intentionally slow (100ms+ per hash), making brute force impractical.
✅ HMAC (Message Authentication)
Use: HMAC-SHA-256
import hmac, hashlib
mac = hmac.new(secret_key, message, hashlib.sha256).hexdigest()
✅ Content Addressing / Deduplication
Use: SHA-256 or BLAKE3
Used by: Git (SHA-1 → SHA-256 migration), Docker images, IPFS, blockchain.
✅ Hash Tables / Non-Crypto
Use: xxHash, MurmurHash, SipHash, FNV
These are NOT cryptographic but are fast for hash maps, Bloom filters, etc.
Hash Output Examples
Input: Hello, World!
Algorithm Output **MD5** 65a8e27d8879283831b664bd8b7f0ad4**SHA-1** 0a0a9f2a6772942557ab5355d76af442f8f65e01**SHA-256** dffd6021bb2bd5b0af676290809ec3a53191dd81c7f70a4b28688a362182986f**SHA-384** 5485cc9b3365b4305dfb4e8c6a8b... (96 hex chars)**SHA-512** 374d794a95cdcfd8b35993185fef9ba368f160d8daf432d08ba9f1ed1e5abe6cc69291e0fa2fe0006a52570ef18c19def4e617c33ce52ef0a6e5fbe318cb0387**BLAKE2b** b8d4e4dc33c4153292c0d0c4f3dc2e... (128 hex chars)**BLAKE3** 288a35612c2f5cbe11a151bf233ba8... (64 hex chars)
Collision Resistance
Algorithm Best Known Attack Status MD5 Collisions in seconds 💀 Broken (2004) SHA-1 Collisions demonstrated (SHAttered, 2017) 💀 Broken SHA-256 No practical attacks ✅ Secure SHA-512 No practical attacks ✅ Secure SHA-3-256 No practical attacks ✅ Secure BLAKE2b No practical attacks ✅ Secure BLAKE3 No practical attacks ✅ Secure
Password Hashing — Deep Dive
Algorithm Memory-Hard? Parallelism Control? Recommended Config **Argon2id** ✅ Yes ✅ Yes 64 MB memory, 3 iterations, 4 threads **bcrypt** ❌ No ❌ No Cost factor 12+ (≈250ms per hash) **scrypt** ✅ Yes ❌ Limited N=2^15, r=8, p=1 **PBKDF2** ❌ No ❌ No 600,000+ iterations (OWASP 2024)
Winner: Argon2id. It won the Password Hashing Competition (2015) and is recommended by OWASP.
Quick Reference Card
Need to hash a password? → Argon2id or bcrypt
Need to verify a file? → SHA-256 or BLAKE3
Need to sign something? → SHA-256 (with RSA/ECDSA)
Need HMAC? → HMAC-SHA-256
Need a fast non-crypto hash? → xxHash or BLAKE3
Still using MD5 or SHA-1? → Migrate. Now.
🛠 Generate hashes instantly: hashgenerator.co
📧 More cheat sheets: Dev Tools Weekly Newsletter