MD5 Is Broken But You're Still Using It: Hash Functions Explained for 2026

Three months into my first backend job, I found this in the codebase: MD5(user.password). The senior developer who wrote it had left the company. When I flagged it, the response was 'it's hashed though, isn't that fine?' That question sent me down a rabbit hole that changed how I think about security fundamentals. No, it's not fine. And the reason why is one of the most interesting stories in the history of applied cryptography.

This guide covers what hash functions actually do, why MD5 collapsed as a security tool (with a specific timeline), how SHA-256 and SHA-512 differ, and what salting is and why you need it. By the end, you'll be able to answer 'which hash should I use?' for any situation — and explain why to whoever is still reaching for MD5.

What a Hash Function Actually Does

A hash function takes any input — a single character, a 10 GB file, an entire novel — and produces a fixed-length output called a hash, digest, or checksum. The output size depends on the algorithm: MD5 always produces 128 bits (32 hex characters), SHA-256 always produces 256 bits (64 hex characters), regardless of input size.

• Deterministic: The same input always produces the same hash. 'hello' hashes to the same value on any machine, any time.
• One-way: Given a hash value, you cannot mathematically reverse-engineer the original input. There is no 'undo' button.
• Avalanche effect: Change a single character in the input and the output changes completely — not slightly. 'hello' and 'helli' produce entirely different hashes.
• Fixed-length output: No matter how long the input, the output is always the same size. A 1-byte file and a 1 GB file produce the same-length hash.
• Collision-resistant: It should be computationally infeasible to find two different inputs that produce the same hash output.

Algorithm Comparison: MD5, SHA-1, SHA-256, SHA-512

The MD5 Collapse Timeline: How a Standard Became a Weapon

MD5 was designed in 1992 by Ronald Rivest and was the dominant hashing algorithm for over a decade. Then, over roughly eight years, it went from ubiquitous standard to active exploit vector.

SHA-256 vs SHA-512: Which Should You Use?

Both SHA-256 and SHA-512 are members of the SHA-2 family, designed by the NSA and published by NIST in 2001. Both are secure. The differences are practical, not security-critical.

• SHA-256: The standard default for 2026. Supported everywhere — TLS certificates, JWT signatures, Git commit hashes, Bitcoin mining. If you're not sure which to use, SHA-256 is the answer.
• SHA-512: Better for 64-bit systems. SHA-512 uses 64-bit operations internally, making it actually faster than SHA-256 on 64-bit hardware. Use it when you want a larger security margin or when your platform benefits from 64-bit operations.
• SHA-512/256: A truncated SHA-512 that produces 256-bit output but uses SHA-512 internals. Gets 64-bit speed with 256-bit output size. Rarely used but worth knowing about.
• SHA-3: A completely different design (not SHA-2). Designed as a backup in case SHA-2 is ever broken. Not required for new projects in 2026, but useful for high-assurance systems that want algorithm diversity.

Password Hashing: Why MD5 and Even SHA-256 Are Wrong

Here's a fact that surprises many developers: SHA-256 is also wrong for password storage, even though it's secure. The issue is speed. SHA-256 is designed to be fast — ideal for file integrity checks, but terrible for passwords, because an attacker can test billions of SHA-256 hashes per second.

For passwords, you want a deliberately slow algorithm. The options are bcrypt, scrypt, and Argon2. These are designed to be computationally expensive — you can tune how slow they are, trading security for user-perceived login speed.

• bcrypt: The classic choice. Widely supported. Has a 72-character input limit (truncates longer passwords) — a known limitation. Work factor configurable.
• scrypt: Adds memory hardness — requires a lot of RAM, not just CPU. Harder to attack with GPU clusters. Used in some cryptocurrency systems.
• Argon2: Winner of the 2015 Password Hashing Competition. The current best practice. Configurable in CPU time, memory, and parallelism. Use Argon2id (the hybrid variant) for new systems.

What Salting Does (and Why Rainbow Tables Are Already Dead)

A rainbow table is a precomputed lookup table mapping common passwords to their hashes. Without salting, an attacker who breaches your database can look up 'abc123' → MD5 hash and instantly know which users have that password. Salting defeats this by adding random data to each password before hashing.

Modern password hashing algorithms (bcrypt, Argon2) generate and store the salt automatically — it's embedded in the output string. You do not need to manage salts manually when using these libraries.

Practical Use Cases for Hash Functions

• File integrity verification: Download a file and compare its SHA-256 hash with the published checksum. If they match, the file was not tampered with in transit. Linux ISOs and major software packages routinely publish SHA-256 checksums.
• Password storage: Hash passwords with Argon2id (never store plaintext). Even if your database is breached, attackers cannot reverse the hashes to get passwords.
• Digital signatures: Sign a document by hashing it (SHA-256) and encrypting the hash with your private key. The recipient hashes the document too, decrypts your signature, and compares.
• Content addressing: Systems like Git, IPFS, and content delivery networks use hashes to identify content by what it is, not where it lives. If the hash matches, the content is identical.
• Data deduplication: Hash files to find duplicates without comparing their full contents. If two files have the same SHA-256 hash, they are identical.
• Message authentication (HMAC): Combine a hash with a secret key to verify both content integrity and authenticity. Used in JWT tokens, API authentication, and webhook signatures.