What Are Hash Functions?

A cryptographic hash function takes arbitrary input and produces a fixed-size digest. The same input always produces the same output. Any single-bit change in the input produces a completely different output (the avalanche effect). Hash functions are one-way: you cannot reverse a digest back to the original input without brute force.

Which Algorithm to Use

• MD5 — 128-bit digest. Fast, but cryptographically broken since 2004. Collision attacks are practical. Do not use MD5 for security purposes. It is still useful for non-security checksums where speed matters (e.g., cache keys, non-critical deduplication).
• SHA-1 — 160-bit digest. Also broken — Google demonstrated a practical collision (SHAttered) in 2017. Not safe for certificates or signatures. Still used in Git object IDs for historical reasons.
• SHA-256 — Part of the SHA-2 family. 256-bit digest. Currently secure and widely used for file integrity, digital signatures (TLS, code signing), and HMAC authentication.
• SHA-512 — 512-bit digest. Stronger security margin than SHA-256. Faster than SHA-256 on 64-bit CPUs due to wider internal operations. Overkill for most use cases.

Hashing vs. Encryption vs. HMAC

Hashing has no key — anyone who knows the algorithm can compute the hash. HMAC (Hash-based Message Authentication Code) is a hash computed with a secret key mixed in, proving the data came from someone who knows the key. Use HMAC (e.g., HMAC-SHA256) for API request signing. Use plain hashing for checksums and file integrity. Never hash passwords with SHA-256 directly — use a password-specific function like bcrypt or Argon2 that includes a salt and is intentionally slow.