What is a Hash Function?
A hash function is an algorithm that takes input data of any size and produces a fixed-size output called a hash, digest, or checksum. Think of it as a digital fingerprint—unique to the input data but impossible to reverse-engineer back to the original.
A cryptographic hash function has additional security properties that make it suitable for security applications like password storage, digital signatures, and data integrity verification.
Key Properties of Cryptographic Hashes
The same input always produces the same hash. Hash "hello" a million times, get the same result every time.
Given a hash, it's computationally infeasible to find the original input. You can't reverse the process.
It's extremely difficult to find two different inputs that produce the same hash.
A tiny change in input creates a completely different hash. Change one bit, change ~50% of the output.
// Avalanche effect demonstration (SHA-256) "hello" → 2cf24dba5fb0a30e26e83b2ac5b9e29e... "hellp" → 7d793037a0760186574b0282f2f435e7... // One letter change: completely different hash
Common Hash Algorithms
MD5 (Message Digest 5)
- Output: 128 bits (32 hex characters)
- Created: 1991 by Ron Rivest
- Issues: Collision attacks demonstrated in 2004. Collisions can be generated in seconds.
- Acceptable uses: Checksums for non-security purposes (file integrity where attacks aren't a concern).
MD5("hello") = 5d41402abc4b2a76b9719d911017c592
SHA-1 (Secure Hash Algorithm 1)
- Output: 160 bits (40 hex characters)
- Created: 1995 by NSA
- Issues: First practical collision attack in 2017 (SHAttered). Major browsers and systems have deprecated it.
- Legacy uses: Git still uses SHA-1 for commit hashes (migrating to SHA-256).
SHA1("hello") = aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d
SHA-256 (SHA-2 Family)
- Output: 256 bits (64 hex characters)
- Created: 2001 by NSA
- Security: No known practical attacks. Used in TLS, Bitcoin, and countless security applications.
- Family: SHA-2 includes SHA-224, SHA-256, SHA-384, and SHA-512.
SHA256("hello") = 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824
SHA-512
- Output: 512 bits (128 hex characters)
- Performance: Actually faster than SHA-256 on 64-bit systems.
- Use case: When you need extra security margin or larger digests.
SHA-3
- Output: Variable (224, 256, 384, 512 bits)
- Created: 2015, based on Keccak algorithm
- Advantage: Completely different design from SHA-2, providing algorithm diversity.
- Adoption: Growing but SHA-2 remains more common.
Common Use Cases
Password Storage
Hashing is essential for secure password storage, but standard hash functions alone aren't enough:
Hash functions are too fast. Attackers can try billions of passwords per second.
Instead, use password-specific algorithms designed to be slow:
- Argon2 (recommended) - Memory-hard, configurable
- bcrypt - Time-tested, widely supported
- scrypt - Memory-hard alternative
Data Integrity
Verify files haven't been tampered with or corrupted:
# Verify a downloaded file sha256sum downloaded-file.zip # Compare with published hash from source
Digital Signatures
Sign the hash of a document rather than the entire document:
- Hash the document (fast, fixed-size output)
- Sign the hash with private key
- Recipient verifies by hashing document and checking signature
Deduplication
Identify duplicate files without comparing entire contents:
// Check if file already exists by hash
const fileHash = sha256(fileContent);
if (database.exists(fileHash)) {
return "Duplicate file";
}
Blockchain and Cryptocurrencies
Bitcoin uses SHA-256 for proof-of-work mining and transaction verification. The blockchain is essentially a chain of hashes.
HMAC: Keyed Hashing
HMAC (Hash-based Message Authentication Code) combines a hash function with a secret key to provide both integrity and authenticity:
HMAC-SHA256(key, message) = hash(key XOR opad || hash(key XOR ipad || message)) // Used for: // - API authentication signatures // - Cookie/token verification // - Message authentication in protocols
Unlike plain hashing, HMAC proves the message came from someone who knows the secret key.
Generating Hashes in Different Languages
JavaScript (Browser)
async function sha256(message) {
const encoder = new TextEncoder();
const data = encoder.encode(message);
const hashBuffer = await crypto.subtle.digest('SHA-256', data);
const hashArray = Array.from(new Uint8Array(hashBuffer));
return hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
}
await sha256('hello'); // "2cf24dba..."
Node.js
const crypto = require('crypto');
const hash = crypto.createHash('sha256')
.update('hello')
.digest('hex');
// "2cf24dba..."
// HMAC
const hmac = crypto.createHmac('sha256', 'secret-key')
.update('message')
.digest('hex');
Python
import hashlib
# Simple hash
hash = hashlib.sha256(b'hello').hexdigest()
# "2cf24dba..."
# File hash
with open('file.txt', 'rb') as f:
file_hash = hashlib.sha256(f.read()).hexdigest()
PHP
$hash = hash('sha256', 'hello');
// "2cf24dba..."
// File hash
$fileHash = hash_file('sha256', 'file.txt');
// HMAC
$hmac = hash_hmac('sha256', 'message', 'secret-key');
Security Considerations
- Choose the right algorithm: SHA-256 for general use, Argon2/bcrypt for passwords.
- Don't roll your own: Use established libraries, not custom implementations.
- Salt passwords: Add unique random data before hashing to prevent rainbow table attacks.
- Length extension attacks: SHA-256 is vulnerable; use HMAC when integrity matters.
- Timing attacks: Use constant-time comparison when verifying hashes.
Quick Reference
| Algorithm | Output Size | Status | Use For |
|---|---|---|---|
| MD5 | 128 bits | Broken | Non-security checksums only |
| SHA-1 | 160 bits | Deprecated | Legacy compatibility only |
| SHA-256 | 256 bits | Recommended | General security applications |
| SHA-512 | 512 bits | Recommended | Higher security margin |
| SHA-3 | Variable | Recommended | Algorithm diversity |
Generate Hashes
Use our hash generator to create MD5, SHA-1, SHA-256, and SHA-512 hashes instantly.
Open Hash Generator →