What is a Hash Function?

Hash functions explained: one-way digests, MD5 vs SHA-256, use cases, and why you should never hash passwords with SHA.

6 min read·Updated June 2026

A hash function takes an input of any size and produces a fixed-length output called a digest or hash. Change a single character in the input and the entire output changes completely — this is called the avalanche effect. Hash functions are one-way: you cannot reconstruct the original input from its hash.

They are fundamental to computer security — used to verify file integrity, store passwords, sign documents, deduplicate content, and power blockchain systems.

Four properties of a cryptographic hash function

  • Deterministic — the same input always produces the same output.
  • Fixed-length output — regardless of input size, the digest is always the same number of bits.
  • Avalanche effect — a tiny change in input completely changes the output. hello and hello! produce entirely different hashes.
  • Collision resistance — it should be computationally infeasible to find two different inputs that produce the same hash.

MD5, SHA-1, SHA-256, SHA-512 compared

AlgorithmOutput sizeSpeedSecurityCommon use
MD5128 bit (32 hex)Very fastBrokenNon-security checksums, legacy systems
SHA-1160 bit (40 hex)FastBrokenGit commit IDs (transitioning to SHA-256)
SHA-256256 bit (64 hex)FastSecureTLS certificates, JWT signatures (HS256), file integrity
SHA-512512 bit (128 hex)Slightly slowerSecureHigh-security applications, 64-bit platforms where it is faster than SHA-256

Broken means that collisions (two inputs producing the same hash) can be computed in practice. MD5 collisions take seconds on modern hardware. Never use MD5 or SHA-1 for anything security-critical.

Use cases

File integrity and checksums

Download a file, compute its SHA-256 hash, compare it to the hash published by the author. If they match, the file was not tampered with in transit. Package managers (npm, pip, apt) do this automatically for every package they install.

Content deduplication

Git hashes every file and every commit. If two files have the same SHA-1 hash, Git considers them identical without comparing their content byte-by-byte. This makes repositories fast and space-efficient.

Digital signatures

To sign a document, you hash it first, then encrypt the hash with your private key. The recipient decrypts the hash with your public key and verifies it matches their own hash of the document. Signing the hash is much faster than signing the entire document.

Password storage

Storing raw passwords is catastrophic — if the database is compromised, every account is exposed. Instead, store the hash. When the user logs in, hash their input and compare it to the stored hash.

Important: never use MD5, SHA-1, or even raw SHA-256 to hash passwords. These algorithms are designed to be fast, which makes brute-force attacks trivial. Use a password hashing algorithm specifically designed to be slow and salt-aware: bcrypt, Argon2, or scrypt.

Hashes vs encryption

Hashing and encryption are fundamentally different:

HashingEncryption
Reversible?No — one-way onlyYes — with the key
Output sizeFixedVariable (close to input size)
Requires a key?NoYes
Use caseVerification, fingerprintingProtecting data in transit or at rest

Hashing is also distinct from Base64 encoding — Base64 is fully reversible and adds no security, it simply converts binary data to text.

Frequently asked questions