What Is a Cryptographic Hash Function?
A cryptographic hash function takes any input and produces a fixed-size output (the hash or digest). Good hash functions have three properties: determinism (same input always produces same output), the avalanche effect (tiny input changes produce completely different outputs), and one-way property (you cannot reverse a hash to find the input).
MD5: Broken but Not Gone
MD5 produces a 128-bit hash and is computationally fast. In 1996, researchers discovered collisions — two different inputs producing the same hash. MD5 is cryptographically broken for security purposes but remains useful for non-security applications like file integrity checks and checksums.
SHA-256 and the SHA-2 Family
SHA-256 is part of the SHA-2 family designed by the NSA. It produces a 256-bit hash and has no known practical attacks. It is the standard for digital signatures, TLS certificates, and Bitcoin's proof-of-work algorithm.
SHA-3: The Modern Alternative
SHA-3 uses a fundamentally different construction (Keccak sponge) from SHA-2, providing an alternative if weaknesses in SHA-2 are ever discovered. SHA-3 is appropriate for new security-critical applications where implementation complexity is acceptable.
Password Hashing Is Different
General-purpose hash functions like SHA-256 are too fast for password storage. Attackers can compute billions of SHA-256 hashes per second using GPUs. Use purpose-built slow hashing functions: bcrypt, scrypt, or Argon2.
