#
Security
Hash Generator FAQ — MD5, SHA-256, SHA-512 & Hashing Explained
Answers about cryptographic hashing: MD5 vs SHA-256, password hashing, hash collisions, and how to generate hashes for files and text.
Q1 What is a hash function?
A hash function takes input of any size and produces a fixed-length output (the hash or digest). It is deterministic (same input always gives same output), fast to compute, and practically impossible to reverse. Use the Hash Generator to compute MD5, SHA-1, SHA-256, and SHA-512 hashes instantly.
Q2 What is the difference between MD5 and SHA-256?
MD5 produces a 128-bit (32-character hex) hash and is fast but cryptographically broken — collisions can be generated in seconds. SHA-256 produces a 256-bit (64-character hex) hash and is part of the SHA-2 family, considered secure for all current uses. Always use SHA-256 or stronger for security-critical applications.
Q3 Is MD5 still safe to use?
MD5 is not safe for security purposes (digital signatures, certificates, password hashing). Collision attacks are practical. However, MD5 is still fine for non-security uses: file integrity checksums (when collision attacks are not a concern), cache keys, deduplication, and data partitioning.
Q4 How do I hash a password?
Never use raw MD5 or SHA-256 for passwords. Use a dedicated password hashing algorithm: bcrypt (most common), Argon2 (recommended), or scrypt. These are deliberately slow and include a random salt, making brute-force attacks impractical. In Python:
import bcrypt; bcrypt.hashpw(password, bcrypt.gensalt()).
Q5 Can you reverse a hash?
No. Cryptographic hash functions are one-way — you cannot mathematically reverse a hash to get the original input. However, weak hashes of common inputs can be found in rainbow tables (precomputed lookup databases). This is why passwords need salting (adding random data before hashing) and slow algorithms.
Q6 What is a hash collision?
A collision occurs when two different inputs produce the same hash output. Since hashes have fixed length, collisions are mathematically inevitable (pigeonhole principle), but for secure algorithms (SHA-256) they are computationally infeasible to find. MD5 and SHA-1 have practical collision attacks and should not be used for security.
Q7 How do I generate a SHA-256 hash?
Paste your text into the Hash Generator and select SHA-256. In code: Python —
import hashlib; hashlib.sha256(b"text").hexdigest(). CLI — echo -n "text" | sha256sum. JavaScript — use the Web Crypto API: crypto.subtle.digest("SHA-256", data).
Q8 What is SHA-512?
SHA-512 is a member of the SHA-2 family that produces a 512-bit (128-character hex) hash. It is more secure than SHA-256 against collision attacks and can be faster on 64-bit processors. Use SHA-512 when you need maximum security or when hashing large data on 64-bit systems.
Q9 What is the difference between hashing and encryption?
Hashing is one-way: input produces a fixed-length hash. You cannot recover the input from the hash. Encryption is two-way: plaintext becomes ciphertext (with a key), and ciphertext becomes plaintext (with the same or corresponding key). Use hashing for integrity verification and passwords; use encryption when you need to retrieve the original data.
Q10 How do I verify a file hash?
Download the file and its published hash. Then compute the hash: CLI —
sha256sum file.zip (Linux) or shasum -a 256 file.zip (macOS). Compare the output to the published hash. If they match, the file has not been tampered with. Many software download pages publish SHA-256 hashes for this purpose.
Q11 What is a salt in hashing?
A salt is random data added to the input before hashing. Each password gets a unique salt, so identical passwords produce different hashes. This defeats rainbow tables and precomputed lookup attacks. Salts are stored alongside the hash (they are not secret). Good password hashing algorithms (bcrypt, Argon2) handle salting automatically.
Q12 What is HMAC?
HMAC (Hash-based Message Authentication Code) combines a hash function with a secret key to produce a MAC. It verifies both data integrity and authenticity — only someone with the key can produce the correct HMAC. Used in API authentication (AWS Signature), JWT signatures (HS256), and secure cookie verification.
Q13 How do I hash a file in Python?
Read the file in chunks to handle large files:
import hashlib; h = hashlib.sha256(); then read chunks with h.update(chunk). For a complete one-liner on small files: hashlib.sha256(open("file","rb").read()).hexdigest().
Q14 What is SHA-3?
SHA-3 (Keccak) is the newest SHA family, standardized in 2015. It uses a completely different algorithm (sponge construction) than SHA-2. SHA-3 is not faster than SHA-2 for most uses but provides an independent alternative if SHA-2 is ever broken. SHA-3 variants: SHA3-256, SHA3-512, SHAKE128, SHAKE256.
Q15 Is SHA-1 still secure?
No. Google demonstrated a practical SHA-1 collision in 2017 (SHAttered attack). SHA-1 is deprecated for digital signatures, TLS certificates, and git integrity (git is migrating to SHA-256). SHA-1 is still used in git commit hashes (legacy) and some non-security checksums, but should be replaced with SHA-256.
Q16 What is a checksum?
A checksum is a value computed from data to detect accidental changes (corruption, transmission errors). MD5 and SHA-256 are commonly used as checksums for file downloads. Simpler checksums (CRC32, Adler-32) are faster but less secure. The term is often used interchangeably with "hash" in non-security contexts.
Q17 How do I hash in JavaScript?
Use the Web Crypto API: create a function that encodes text with TextEncoder, calls
crypto.subtle.digest("SHA-256", data), then converts the ArrayBuffer to hex. For Node.js: crypto.createHash("sha256").update(text).digest("hex").
Q18 What hash algorithm should I use?
For passwords: Argon2id (best) or bcrypt. For file integrity: SHA-256. For API authentication: HMAC-SHA256. For general checksums: SHA-256 (or CRC32 if speed matters more than security). Avoid: MD5 and SHA-1 for anything security-related. When in doubt, use SHA-256.
Q19 Can two different files have the same hash?
Theoretically yes (collision), but for SHA-256 the probability is astronomically low — about 1 in 2^128. You would need more energy than the sun produces in its lifetime to brute-force a SHA-256 collision. For all practical purposes, different files produce different SHA-256 hashes.
Q20 What is a rainbow table?
A rainbow table is a precomputed lookup table mapping hashes to their original inputs. Attackers use them to quickly reverse common password hashes. Defense: use salted hashing (each password gets a unique random salt, so precomputed tables are useless). This is why bcrypt and Argon2 always include salts.
Free Security Tools
All tools run in your browser — no signup, no data sent to servers.