Compare MD5 and SHA-256 by digest size, speed, collision resistance, security limits, and the situations where each algorithm may still be used.
MD5 and SHA-256 are cryptographic hash functions. Both convert input data of any practical size into a fixed-length digest. Both are deterministic, and both show a strong avalanche effect: a small input change produces a very different output.
They are not equally secure. MD5 is a legacy algorithm with practical collision attacks. SHA-256 belongs to the SHA-2 family and remains suitable for many current security applications when used correctly.
| Property | MD5 | SHA-256 |
|---|---|---|
| Digest size | 128 bits | 256 bits |
| Hexadecimal length | 32 characters | 64 characters |
| Published | 1992 | 2001 as part of SHA-2 |
| Collision resistance | Broken | No practical collision attack publicly known |
| Typical role today | Legacy checksums and non-adversarial identification | Integrity checks, digital-signature systems, HMAC, and many security protocols |
| Password storage | Unsuitable | Unsuitable by itself |
A hash function maps a message to a fixed-size value. The message may be a short string, a software package, a disk image, or a large data stream.
A useful cryptographic hash function aims to provide several properties:
A hash is not encryption. It has no decryption key and is not intended to recover the original input. It is also not automatically proof of authenticity. Anyone who can replace a file may also be able to replace an unprotected checksum displayed beside it.
MD5 processes data in 512-bit blocks and produces a 128-bit digest. The digest is commonly written as 32 hexadecimal characters.
For example, the UTF-8 bytes for hello, without a trailing newline, produce:
5d41402abc4b2a76b9719d911017c592
MD5 became popular because it was compact, fast, and easy to implement. It appeared in file-verification systems, software repositories, protocols, database schemas, and password databases.
Its speed later became a liability for password storage, and cryptanalysis demonstrated that its collision resistance was fundamentally broken.
SHA-256 is one member of the SHA-2 family specified by NIST. It also processes messages in 512-bit blocks, but it produces a 256-bit digest written as 64 hexadecimal characters.
The same hello input produces:
2cf24dba5fb0a30e26e83b2ac5b9e29e
1b161e5c1fa7425e73043362938b9824
The line break above is only for readability. A standard SHA-256 hexadecimal digest is one continuous 64-character string.
SHA-256 has a larger internal state and more rounds than MD5. Its design provides a much stronger security margin against collisions and other attacks relevant to general-purpose hashing.
MD5 has 128 possible output bits, giving 2^128 possible digest values. SHA-256 has 2^256 possible values.
For an ideal hash, generic collision attacks follow the birthday bound. A collision is expected after roughly the square root of the output space has been explored:
2^64 operations for an ideal 128-bit hash.2^128 operations for an ideal 256-bit hash.MD5 is worse than this ideal estimate because researchers developed practical methods that exploit weaknesses in its structure. Its collision resistance should therefore not be treated as 64-bit security.
SHA-256 is designed to provide approximately 128 bits of collision resistance when its full output is used.
A collision occurs when two different inputs have the same digest. This can undermine systems that assume a digest uniquely identifies trusted content.
Collision attacks are especially relevant when an attacker can influence two versions of a document, certificate, executable, or structured file and arrange for their hashes to match. The attacker may present a benign version for approval and later substitute a malicious colliding version.
This does not mean every existing MD5 checksum can instantly be replaced with an arbitrary malicious file. Collision attacks and preimage attacks are different. However, the existence of practical collision techniques means MD5 should not be selected for a new security-sensitive design.
MD5 is usually faster than SHA-256 in software, though the exact difference depends on processor architecture, hardware acceleration, library implementation, file size, and I/O speed.
For large-file checksums, storage and network throughput may dominate the calculation time. In many practical workflows, SHA-256 is fast enough that the security improvement outweighs a small performance difference.
For password storage, both algorithms are too fast when used directly. Attackers benefit from fast hashing because they can test huge numbers of password guesses. Password databases need dedicated, configurable password-hashing functions designed to be expensive in time, memory, or both.
MD5 can still be adequate in narrow situations where there is no malicious actor and the digest is only a convenient error-detection or identification value.
Examples include:
Even in these cases, new systems should usually prefer SHA-256 because migration later can be costly and MD5 creates ambiguity about the intended security level.
When authenticity matters, a bare SHA-256 checksum is also insufficient. Use a digital signature, an authenticated update framework, or a keyed message authentication code such as HMAC-SHA-256.
SHA-256 remains a common choice for:
The surrounding system still matters. A checksum downloaded from the same compromised server as a file does not independently prove that the file is authentic. The checksum needs a trusted delivery channel or cryptographic signature.
Password hashing has different requirements from file hashing. A file hash should be fast so large files can be processed efficiently. A password hash should be deliberately expensive so each attacker guess costs meaningful time and memory.
Do not store passwords as:
MD5(password)
SHA256(password)
SHA256(salt + password)
Adding a salt prevents identical passwords from sharing one digest and defeats many precomputed tables, but it does not make a fast general-purpose hash slow. Attackers can still test guesses efficiently.
Use a password-hashing function such as Argon2id. Depending on platform and compliance requirements, scrypt, bcrypt, or PBKDF2 may also be appropriate when configured according to current guidance.
For accidental corruption, either algorithm can detect typical transmission or storage errors. For hostile environments, SHA-256 is the better baseline.
On GNU/Linux:
md5sum archive.zip
sha256sum archive.zip
On macOS:
md5 archive.zip
shasum -a 256 archive.zip
In PowerShell:
Get-FileHash .\archive.zip -Algorithm MD5
Get-FileHash .\archive.zip -Algorithm SHA256
Always compare the digest with a value obtained from a trusted source. A match only has meaning if the expected value itself has not been altered.
For public downloads, software updates, signed documents, or any workflow exposed to attackers, publish SHA-256 or a stronger approved alternative. Keep the old MD5 value temporarily only when users or legacy systems still require it.
A practical migration approach is:
MD5 and SHA-256 perform the same broad type of operation, but they provide very different security margins. MD5 remains useful mainly for compatibility and non-adversarial checks. SHA-256 is the correct default for general integrity hashing in modern systems, but a bare hash does not prove authenticity and is not a password-storage method.