What is a Hash?
5 min read · Security & Cryptography
The short answer
A hash function takes any input — a password, a file, a string — and produces a fixed-length string of characters called a hash (or digest). No matter how large the input is, the output is always the same length.
For example, the SHA-256 hash of the word hello is always:
2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824
Hashes are one-way — you cannot reverse a hash back to its original input. That is what makes them useful for security.
Key properties of a hash function
- Deterministic — the same input always produces the same output
- Fixed length — SHA-256 always outputs 64 hex characters, regardless of input size
- One-way — you cannot derive the input from the output
- Avalanche effect — a tiny change in input produces a completely different hash
- Collision resistant — it should be practically impossible to find two inputs with the same hash
Common hash algorithms
| Algorithm | Output length | Status | Use today? |
|---|---|---|---|
| MD5 | 128 bits (32 hex chars) | Broken | Checksums only |
| SHA-1 | 160 bits (40 hex chars) | Deprecated | Avoid for security |
| SHA-256 | 256 bits (64 hex chars) | Secure | Yes — recommended |
| SHA-512 | 512 bits (128 hex chars) | Secure | Yes — high security |
| bcrypt | Variable | Secure | Passwords only |
What is MD5 good for?
MD5 was once used for passwords and digital signatures, but it was broken in 2004 — researchers can generate two different inputs with the same MD5 hash (a collision attack).
MD5 is still useful for non-security purposes:
- Verifying file integrity after download (checksums)
- Generating cache keys or ETags
- Deduplicating files in a database
Never use MD5 to hash passwords or for any cryptographic security purpose.
Hashing passwords: why SHA-256 is not enough
Even SHA-256 is too fast for password storage. Attackers can test billions of guesses per second using GPUs. For passwords, you need a slow hashing algorithm designed to resist brute-force attacks:
- bcrypt — battle-tested, widely supported, adjustable cost factor
- Argon2 — winner of the Password Hashing Competition, recommended for new systems
- scrypt — memory-hard, good choice when Argon2 is not available
These algorithms include a salt (a random value added before hashing) to prevent two users with the same password from having the same hash.
Generating hashes in code
In JavaScript (Node.js):
import { createHash } from 'crypto';
const hash = createHash('sha256').update('hello').digest('hex');
// "2cf24dba5fb0a30e26e83b2ac5b9e29e..."In Python:
import hashlib hash = hashlib.sha256(b'hello').hexdigest() # "2cf24dba5fb0a30e26e83b2ac5b9e29e..."
Common use cases
- File integrity — compare a file's hash before and after transfer to detect corruption
- Password storage — store a hash, never the plaintext password
- Digital signatures — hash the content first, then sign the hash
- Content addressing — Git identifies commits and blobs by their SHA-1 hash
- Data deduplication — two files with identical hashes are identical
- Cache keys — hash a request body to use as a cache key
Generate hashes instantly
Hash any string with MD5, SHA-1, SHA-256, SHA-512, or SHA-3 directly in your browser.
Hash Generator →