MD5 vs SHA-256: differences and recommendations

MD5 and SHA-256 are two cryptographic hash functions. They produce a fixed-size digest from an input of arbitrary size. You meet them everywhere: file integrity checks, signatures, unique identifiers, TLS certificates, blockchain. Their security status, however, is very different: MD5 has been broken since 2004 for cryptographic uses, while SHA-256 remains safe in 2026. This article gets the facts straight.

Hash functions in a nutshell

A cryptographic hash function turns a message of arbitrary length into a fixed-size digest. Three properties are expected:

• Preimage resistance: given a hash, it must be infeasible to recover the original message.
• Second preimage resistance: given a message, it must be infeasible to find another that produces the same hash.
• Collision resistance: it must be infeasible to find two distinct messages that produce the same hash.

A function is said to be broken as soon as one of these properties falls. For MD5, collision resistance fell in 2004.

MD5: 128 bits, broken since 2004

MD5 (Message Digest 5) is a function designed by Ronald Rivest in 1991 and standardised by RFC 1321. It produces a 128-bit digest (16 bytes, 32 hexadecimal characters).

In 2004, Wang and Yu published an attack that produces MD5 collisions in a few hours on a PC. Since then, the cost of generating a collision has dropped to a few seconds. In 2008, researchers crafted a forged SSL certificate signed with MD5 that was accepted as valid by all browsers. In 2012, the Flame malware used an MD5 collision to sign its executable as a legitimate Microsoft binary.

Conclusion: MD5 should no longer be used as soon as an attacker can influence the input. All cryptographic uses (signatures, integrity against an adversary, key derivation) are off the table. Only a few non-hostile uses remain acceptable, such as a network transfer checksum or a cache key: MD5 is still fast, and accidental collisions remain statistically impossible.

SHA-256: 256 bits, safe in 2026

SHA-256 belongs to the SHA-2 family published by NIST in 2001 and standardised by FIPS 180-4. It produces a 256-bit digest (32 bytes, 64 hexadecimal characters).

No practical attack on SHA-256 is known. The best theoretical attack on collisions covers 31 rounds out of 64, with no practical implication. The brute-force cost of finding a collision is on the order of 2^128 operations, out of reach of any known infrastructure.

SHA-256 is used in: TLS (X.509 certificates), Git (since the SHA-256 transition), Bitcoin (proof of work), Linux package signatures, Windows Update, and so on. It is today the default recommended hash for the majority of general-purpose cryptographic uses.

Practical differences

Output length

MD5("hello")     = 5d41402abc4b2a76b9719d911017c592               (32 chars hex)
SHA-256("hello") = 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824 (64 chars hex)

Speed

MD5 is roughly 2 to 3 times faster than SHA-256 on the same machine. On a modern CPU, MD5 processes several GB/s per core, SHA-256 is in the GB/s range. On recent CPUs with the SHA-NI extension, the gap shrinks dramatically.

Security

That is the only difference that really matters: MD5 is broken for collisions, SHA-256 is not. If security against an adversary is at stake, the choice is settled.

Comparison table

Use cases

When MD5 is still acceptable

• Application cache key (Redis, memcached) with no security implication
• Duplicate detection in a non-hostile dataset
• Checksum of a network transfer to detect accidental corruption
• Hash of a string for sharding without adversarial constraint

When SHA-256 is the right pick

• Integrity verification against an attacker (signed downloads, packages)
• Digital signatures, X.509 certificates
• Git identifiers for commits and objects
• Key derivation (in combination with HKDF)
• Any application subject to a regulatory requirement (PCI-DSS, ANSSI, FIPS)

Concrete examples

In PHP, both functions are available via the hash() function:

// Hash of a string
$md5    = hash('md5',     'hello world');
$sha256 = hash('sha256',  'hello world');

// Hash of a file (streaming read)
$md5File    = hash_file('md5',    '/path/to/file.iso');
$sha256File = hash_file('sha256', '/path/to/file.iso');

You can compute these hashes directly online with our text hash generator, hash a file with the file hash generator, or identify an unknown hash type with the hash identifier.

Recommendation

The 2026 rule is simple: SHA-256 by default. MD5 should no longer appear in your code as soon as an attacker can influence the input, which covers almost every server-side case. MD5's higher performance no longer justifies its use; the gap has become negligible with the SHA-NI acceleration present on modern x86 and ARM CPUs.

Frequently asked questions