Irreva logo
Explore Irreva
AboutPrivacyTermsContact
DeveloperJanuary 31, 2026· 7 min read· Updated June 10, 2026

What Is a Hash Function — SHA256 and MD5 Explained

Hasanur Rahman

Written by Hasanur Rahman

Founder & Full-Stack Developer · Irreva · Rangpur, Bangladesh

A hash function takes any input — a word, a file, a billion-character string — and produces a fixed-length output called a hash or digest. The same input always produces the same hash. Change one character of the input and the hash changes completely. This behavior makes hash functions essential for verifying data integrity, storing passwords, and digital signatures.

How hash functions work

A hash function is a one-way mathematical operation. It's easy to compute the hash of an input, but computationally infeasible to reverse — to find the input given only the hash. This property is called preimage resistance.

Two different inputs producing the same hash is called a collision. A good hash function makes collisions extremely rare and hard to manufacture intentionally. This property — collision resistance — is what makes hashes useful for security applications.

SHA256, for example, always produces a 256-bit (32-byte) output expressed as a 64-character hexadecimal string. 'hello' always becomes 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824. Change 'hello' to 'Hello' and the hash is completely different.

SHA256 — the current standard

SHA256 is part of the SHA-2 family, published by NIST in 2001. It's the hash function used in Bitcoin's proof-of-work, TLS certificate signatures, Git object hashing, and password hashing schemes like bcrypt's underlying structure.

For verifying file integrity, SHA256 checksums let you confirm that a downloaded file hasn't been tampered with. Download the file and the expected checksum from the source, run SHA256 on the file, and compare. If the hashes match, the file is intact.

SHA256 is computationally intensive enough that brute-force attacks against properly salted password hashes are impractical. For direct data integrity verification (not passwords), SHA256 is fast enough for any practical use.

MD5 — why it's no longer secure

MD5 was designed in 1991 and was once the standard for checksums and password hashing. It produces a 128-bit (32 hex character) output. It's extremely fast to compute.

The problem is that MD5 is cryptographically broken. Researchers demonstrated in 2004 that it was practical to generate MD5 collisions — two different inputs with the same hash. In 2008, a team created a fake SSL certificate trusted by browsers using an MD5 collision. MD5 is no longer suitable for any security-sensitive purpose.

MD5 still appears in non-security contexts where speed matters and collision resistance isn't required — like checksums for large file downloads over a trusted channel, or as a quick content hash for caching. But if security is a concern at all, use SHA256 or SHA512 instead.

  • MD5: 128-bit output, fast, cryptographically broken — not for security
  • SHA1: 160-bit output, deprecated, known weaknesses — avoid
  • SHA256: 256-bit output, current standard — use this
  • SHA512: 512-bit output, higher security margin — use for sensitive data
  • bcrypt/Argon2: designed for passwords — use these for storing passwords

Generating and verifying hashes online

The Irreva Hash Generator supports MD5, SHA1, SHA256, and SHA512. Enter any text and get all four hashes instantly. The computation runs in your browser using the Web Crypto API, so your input never leaves your device.

For file verification, generate a hash of the file locally and compare it against the checksum published by the software distributor. This confirms that no one modified the file between publication and your download.

For developers, hashing strings is useful for generating cache keys, creating deterministic IDs from content, and building simple fingerprinting systems. These use cases don't require cryptographic security — even MD5 works fine for them.

Try these free tools

Hash GeneratorPassword GeneratorPassword Strength Checker

Frequently Asked Questions

Can a hash be reversed to get the original input?

Not computationally, for a strong hash function. Hash functions are one-way by design. However, common short inputs like passwords can be found using rainbow tables — precomputed tables of hashes for common inputs. This is why passwords should be salted before hashing.

What is a salt in password hashing?

A salt is a random value added to the input before hashing. Each stored password hash has a unique salt. This defeats rainbow table attacks because the attacker would need a separate rainbow table for every possible salt value. Modern password hashing libraries like bcrypt handle salting automatically.

Why does changing one character change the entire hash?

This is called the avalanche effect, and it's a deliberate property of cryptographic hash functions. It ensures that similar inputs produce completely different outputs, preventing any information about the input from being inferred from the hash.

Is SHA256 suitable for hashing passwords?

Not directly. SHA256 is too fast — a modern GPU can compute billions of SHA256 hashes per second, making brute-force attacks feasible. Passwords should be hashed with algorithms specifically designed to be slow and memory-intensive, like bcrypt, scrypt, or Argon2.

What is a hash used for in Git?

Git uses SHA1 (transitioning to SHA256) to identify every object: commits, trees, blobs, and tags. The commit hash is computed from the commit contents including parent hash, author, timestamp, and the tree it points to. This makes the entire repository history tamper-evident.

Related articles

What Is SHA256 Hashing and When to Use ItRead →How to Generate a Strong Password OnlineRead →
Hasanur Rahman

About the author

Hasanur Rahman

Founder & Full-Stack Developer · Irreva · Rangpur, Bangladesh

Hasanur Rahman is the founder of Irreva and a full-stack developer based in Rangpur, Bangladesh. He builds all of Irreva's tools with a focus on privacy-first, browser-based processing.

← Back to all articles