Guides / What is a Hash?

What is a Hash?

5 min read · Security & Cryptography

The short answer

A hash function takes any input — a password, a file, a string — and produces a fixed-length string of characters called a hash (or digest). No matter how large the input is, the output is always the same length.

For example, the SHA-256 hash of the word hello is always:

2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824

Hashes are one-way — you cannot reverse a hash back to its original input. That is what makes them useful for security.

Key properties of a hash function

  • Deterministic — the same input always produces the same output
  • Fixed length — SHA-256 always outputs 64 hex characters, regardless of input size
  • One-way — you cannot derive the input from the output
  • Avalanche effect — a tiny change in input produces a completely different hash
  • Collision resistant — it should be practically impossible to find two inputs with the same hash

Common hash algorithms

AlgorithmOutput lengthStatusUse today?
MD5128 bits (32 hex chars)BrokenChecksums only
SHA-1160 bits (40 hex chars)DeprecatedAvoid for security
SHA-256256 bits (64 hex chars)SecureYes — recommended
SHA-512512 bits (128 hex chars)SecureYes — high security
bcryptVariableSecurePasswords only

What is MD5 good for?

MD5 was once used for passwords and digital signatures, but it was broken in 2004 — researchers can generate two different inputs with the same MD5 hash (a collision attack).

MD5 is still useful for non-security purposes:

  • Verifying file integrity after download (checksums)
  • Generating cache keys or ETags
  • Deduplicating files in a database

Never use MD5 to hash passwords or for any cryptographic security purpose.

Hashing passwords: why SHA-256 is not enough

Even SHA-256 is too fast for password storage. Attackers can test billions of guesses per second using GPUs. For passwords, you need a slow hashing algorithm designed to resist brute-force attacks:

  • bcrypt — battle-tested, widely supported, adjustable cost factor
  • Argon2 — winner of the Password Hashing Competition, recommended for new systems
  • scrypt — memory-hard, good choice when Argon2 is not available

These algorithms include a salt (a random value added before hashing) to prevent two users with the same password from having the same hash.

Generating hashes in code

In JavaScript (Node.js):

import { createHash } from 'crypto';

const hash = createHash('sha256').update('hello').digest('hex');
// "2cf24dba5fb0a30e26e83b2ac5b9e29e..."

In Python:

import hashlib

hash = hashlib.sha256(b'hello').hexdigest()
# "2cf24dba5fb0a30e26e83b2ac5b9e29e..."

Common use cases

  • File integrity — compare a file's hash before and after transfer to detect corruption
  • Password storage — store a hash, never the plaintext password
  • Digital signatures — hash the content first, then sign the hash
  • Content addressing — Git identifies commits and blobs by their SHA-1 hash
  • Data deduplication — two files with identical hashes are identical
  • Cache keys — hash a request body to use as a cache key

Generate hashes instantly

Hash any string with MD5, SHA-1, SHA-256, SHA-512, or SHA-3 directly in your browser.

Hash Generator →