SHA-256, MD5, and Other Hashes Explained: What They Are and Why They Matter

A hash function takes input of any length and produces a fixed-length output (the hash or digest) that appears random. The same input always produces the same output. Different inputs produce different outputs (though collisions are theoretically possible). Crucially, the function is one-way: given the hash, you can't work backward to find the input. A small change to the input produces a completely different hash — changing one character in a document changes roughly half the bits in the SHA-256 hash. This property (called the avalanche effect) is what makes hashes useful for integrity verification.

MD5 is broken for security purposes because researchers have demonstrated practical collision attacks — meaning they can deliberately engineer two different inputs that produce the same MD5 hash. In 2008, security researchers used an MD5 collision to create a rogue SSL certificate that appeared valid. In 2012, the Flame malware used an MD5 collision to forge a Microsoft Windows Update signature. If an attacker can generate a document that has the same MD5 hash as a legitimate document, they can substitute it in contexts where only the hash is checked. SHA-256 and SHA-3 have no known practical collision vulnerabilities.

Hashes are not encryption — they can't be 'decrypted' mathematically because the function discards information. Given a hash, there's no algorithm to find the original input. However, hashes can be 'cracked' through brute force or rainbow tables. A rainbow table is a precomputed database of inputs and their hashes. If your password hash is in a rainbow table, lookup is instant. This is why passwords must be salted before hashing — adding a unique random value to each password before hashing means rainbow tables can't be used.

The number indicates the output length in bits. SHA-256 produces a 256-bit (64 hex character) hash. SHA-512 produces a 512-bit (128 hex character) hash. Both are part of the SHA-2 family and considered cryptographically secure. SHA-512 is theoretically harder to brute force because the output space is astronomically larger, but for most practical purposes SHA-256 provides sufficient security. SHA-512 is sometimes preferred on 64-bit systems where it can be faster due to native 64-bit arithmetic. For most applications, SHA-256 is the standard recommendation.