What Is Hashing
Hashing is the process of converting data of arbitrary size into a fixed-length string using a mathematical function. The result is called a hash, checksum, or digest. The key property of a hash function is irreversibility: it is impossible to recover the original data from a hash. This fundamentally distinguishes hashing from encryption, where data can be decrypted back with a key.
A good cryptographic hash function has three properties:
- Determinism — the same input always produces the same hash.
- Avalanche effect — the slightest change in input completely changes the hash.
- Collision resistance — it is practically impossible to find two different inputs with the same hash.
Popular Hashing Algorithms
MD5 (Message Digest 5)
Created in 1991 by Ronald Rivest. Produces a 128-bit (32 hex characters) hash. MD5 is very fast, but in 2004 practical collisions were discovered — the ability to create two different files with the same hash. Today MD5 is considered cryptographically insecure and should not be used for data protection. However, it is still suitable for file integrity checks (checksums) and other non-cryptographic tasks.
SHA-1 (Secure Hash Algorithm 1)
Developed by the NSA in 1995. Produces a 160-bit (40-character) hash. In 2017, a Google team demonstrated a practical SHA-1 collision (the SHAttered project). Since then, SHA-1 has been considered deprecated. Browsers stopped accepting SSL certificates with SHA-1, and Git is gradually migrating to SHA-256.
SHA-256
Part of the SHA-2 family developed by the NSA. Produces a 256-bit (64-character) hash. As of today, SHA-256 is considered secure and is used everywhere: SSL/TLS certificates, Bitcoin blockchain, digital signatures, password storage. It is the recommended algorithm for most tasks.
SHA-512
Produces a 512-bit (128-character) hash. More secure than SHA-256, but slower on 32-bit systems. On 64-bit systems, SHA-512 can actually run faster than SHA-256 due to architectural features. Used where maximum security is required.
bcrypt and Argon2 (for passwords)
Standard hash functions (MD5, SHA-256) are too fast for password hashing — an attacker can test billions of hashes per second. Specialized algorithms bcrypt and Argon2 are intentionally slow and memory-intensive, making brute-force attacks impractical. Always use bcrypt, scrypt, or Argon2 for password hashing.
Hashing vs. Encryption: What Is the Difference
These concepts are often confused, but they are fundamentally different:
- Hashing — an irreversible process. The original data cannot be recovered from a hash. Used for integrity verification and password storage.
- Encryption — a reversible process. Data can be encrypted and decrypted with a key. Used to protect confidential data during transmission and storage.
A simple analogy: hashing is like a meat grinder (you cannot reassemble meat from ground beef), while encryption is like a safe (put something in, lock it, unlock with a key, take it out).
Practical Applications of Hashing
- Password storage. Services store a hash of the password, not the password itself. During login, the entered password is hashed and compared with the stored hash.
- File integrity verification. When downloading software, you can compare the hash of the downloaded file with the one listed on the website to ensure the file has not been corrupted or tampered with.
- Digital signatures. It is the hash of the document that gets signed, not the entire document — this is faster and more secure.
- Data deduplication. Cloud storage services compute file hashes and avoid storing duplicates.
- Blockchain. Bitcoin and other cryptocurrencies use SHA-256 to create the chain of blocks and for mining.
You can generate a hash for any data using our hash generator. The tool supports MD5, SHA-1, SHA-256, SHA-512, and other algorithms.
Salt and Pepper: Protecting Password Hashes
Even if a service stores hashes instead of passwords, an attacker can use precomputed tables (rainbow tables) to crack them. To protect against this:
- Salt — a random string unique to each user, added to the password before hashing. Makes rainbow tables useless.
- Pepper — a secret string shared across the entire application, stored separately from the database. Adds an extra layer of protection.
Frequently Asked Questions
Which hashing algorithm should I choose?
For passwords — bcrypt or Argon2. For file integrity verification — SHA-256. For non-critical tasks (caching, checksums) — MD5 is acceptable. SHA-1 is not recommended anywhere due to known vulnerabilities. Learn more about password generation in our article on the password generator.
Can a hash be decrypted?
No, a hash function is irreversible by definition. However, you can try brute force or use dictionaries and rainbow tables to find the original data. This is exactly why long passwords, salt, and slow hashing algorithms are important.
What is a hash collision?
A collision occurs when two different sets of input data produce the same hash. Practical collision methods have been found for MD5 and SHA-1. For SHA-256, collisions are theoretically possible (there are more possible inputs than outputs), but finding one in practice is computationally infeasible.
How is hashing different from Base64?
Base64 is encoding: a reversible process of converting data into a text format. Hashing is an irreversible process of producing a fixed-length digest. Base64 preserves all data; a hash does not.
