MD5 vs SHA-256 vs SHA-512 – Choosing the Right Hash Algorithm

"MD5 is broken" is technically correct and practically misleading. MD5 is broken for collision resistance — an attacker can craft two different files that produce the same MD5 hash. That makes it useless for security-sensitive verification. But MD5 is still fast, widely supported, and perfectly valid for non-adversarial use cases like deduplicating database records, generating cache keys, and computing checksums on files from trusted internal sources. Choosing the wrong algorithm for your use case wastes either performance (overkill) or security (insufficient). A hash generator that supports all four algorithms lets you try them side by side and see the differences instantly.

The decision framework is simple: if an adversary could benefit from a collision, use SHA-256 or SHA-512. If you are checking data integrity in a context where the data source is trusted and no adversary is involved, MD5 or SHA-1 work fine. If you are hashing passwords, use none of these — use bcrypt, scrypt, or Argon2 instead.

# Same input, four algorithms — same data, different properties:
Input: "hello world"

MD5:     5eb63bbbe01eeed093cb22bb8f5acdc3    # 32 hex chars, fast, broken for collision
SHA-1:   2aae6c69cd90ba9b7d6e3e4f3e8e2fa0f6  # 40 hex chars, faster, broken for collision
SHA-256: b94d27b9934d3e08a52e52d7da7dabfac484efe04294e576 # 64 hex chars, secure
SHA-512: 309ecc489c12d6eb4cc40f50c902f2b4d0ed77ee511a7c7a # 128 hex chars, very secure

# Avalanche effect — one character changed:
Input: "Hello world"  (capital H)
MD5:     e59ff97941044f85df5297e1c302d260   # completely different
SHA-256: 64ec88ca00b268e5ba1a35678a1b5316d2d8b2ebff52a6 # completely different

Algorithm Comparison

| Algorithm | Output | Secure | Common Uses | |---|---|---|---| | MD5 | 128 bits (32 hex) | No (collisions) | Cache keys, dedup, trusted checksums | | SHA-1 | 160 bits (40 hex) | No (collisions) | Legacy git, avoid for new work | | SHA-256 | 256 bits (64 hex) | Yes | File integrity, HMAC, TLS, Bitcoin | | SHA-512 | 512 bits (128 hex) | Yes | Long-term archival, certificates |

Collision resistance is the property that distinguishes secure from insecure for this comparison. A collision occurs when two different inputs produce the same hash. If an attacker can manufacture a collision, they can replace a legitimate file with a malicious one that produces the same hash — the checksum matches, but the file is different. MD5 collisions are practical to compute on modern hardware in seconds. SHA-1 collisions are practical (demonstrated by the SHAttered attack in 2017). SHA-256 and SHA-512 have no known practical collision attacks.

Speed also matters for the right use cases. Benchmark on modern x86-64 hardware:

• MD5: ~600 MB/s
• SHA-1: ~500 MB/s
• SHA-256: ~350 MB/s
• SHA-512: ~400 MB/s (faster than SHA-256 on 64-bit due to 64-bit word operations)

For password hashing, all of these are far too fast — they enable billions of guesses per second in brute-force attacks. Use bcrypt, scrypt, or Argon2 for passwords.

When MD5 Is Still Acceptable

MD5's broken collision resistance only matters when an adversary could exploit it. In contexts where the data sources are trusted and no adversary can influence the input, MD5's collision vulnerability is irrelevant.

• Database deduplication. Hashing record content to detect duplicates in an internal system — where no external party is crafting input — is safe with MD5. The performance advantage over SHA-256 is meaningful when hashing millions of records.
• Cache key generation. A cache key derived from request parameters does not need collision resistance — an accidental collision would serve slightly wrong cached data, not a security incident. MD5 is faster and the keys are shorter.
• ETags for internal CDN content. If the CDN and the origin server are both trusted and the ETag is used only for cache invalidation (not security verification), MD5 is sufficient.
• Checksums on files from trusted internal sources. If you are verifying a file transferred between two systems you control, and no adversary can intercept and substitute the file, MD5 identifies accidental corruption. It does not protect against a motivated attacker.

When to Use SHA-256

SHA-256 is the current standard for any security-sensitive hashing. Choose it by default when in doubt.

• File integrity verification from external sources. Downloads from the internet, packages from third-party repositories, and artifacts from CI pipelines all require SHA-256. An attacker who compromises a mirror or intercepts a download can craft an MD5 collision; they cannot craft a SHA-256 collision.
• HMAC signatures for webhooks and APIs. HMAC-SHA256 is the standard algorithm for webhook signing (Stripe, GitHub, Shopify). See our guide on HMAC-SHA256 for webhooks for the full signing workflow.
• TLS certificates and PKI. Modern TLS certificates use SHA-256 for their signature algorithm. SHA-1 certificates are rejected by browsers since 2017.
• JWT signatures. The HS256 algorithm in JWT is HMAC-SHA256. The RS256 algorithm uses RSA with SHA-256. See our guide on JWT tokens explained for how the signature is constructed.
• General-purpose cryptographic hashing. When you need a hash for any security-sensitive purpose and SHA-512 is not specifically required, SHA-256 is the right default.

When SHA-512 Is Better

SHA-512 is not "more secure than SHA-256 in practice" — both are considered secure against all known attacks. SHA-512 provides a larger security margin and is faster on 64-bit hardware. Choose it in specific contexts.

• Long-term archival. Files that need integrity guarantees over decades — legal documents, research data, cryptographic keys — benefit from SHA-512's larger output, which provides a wider margin against any future advances in cryptanalysis.
• Performance on 64-bit systems with large files. SHA-512 operates on 64-bit words; SHA-256 on 32-bit words. On 64-bit x86 hardware, SHA-512 is approximately 15–25% faster for large inputs. For applications that hash large files frequently, this matters.
• Password-adjacent hashing with Argon2 or scrypt internals. These password hashing algorithms optionally use SHA-512 in their internals. The choice is made by the library, not the application.

Frequently Asked Questions

Conclusion

MD5 is broken for collision resistance, not for speed or determinism. The question is whether collision resistance matters for your use case. If an adversary could craft a collision to attack your system, use SHA-256. If you are working with trusted data in an adversary-free context, MD5's performance advantage makes it a reasonable choice. When in doubt, SHA-256 is the safe default — it is secure, widely supported, and fast enough for every practical use case.

If you need to generate and compare MD5, SHA-1, SHA-256, or SHA-512 hashes, the DevToolBox Hash Generator produces all four. DevToolBox tools run entirely in your browser — no signup, no install, nothing sent to a server.