Hash Algorithm Comparison: MD5, SHA-1, SHA-256, SHA-3, and BLAKE3
Why "Just Use MD5" Is a Real Problem
In 2012, the Flame malware forged a legitimate Microsoft code-signing certificate by exploiting an MD5 collision, then distributed itself via Windows Update. That incident marked the moment when MD5 collision attacks moved from theory to demonstrated real-world harm.
SHA-1 followed in 2017 when Google published the SHAttered attack — two different PDF files with an identical SHA-1 hash, proving collision feasibility at a cost of approximately 110 GPU-years.
MD5 and SHA-1 are now prohibited for security purposes. But the question of which algorithm to use instead has different answers depending on your use case.
What Cryptographic Hash Functions Guarantee
A cryptographic hash function maps input of arbitrary length to a fixed-length output (digest). A secure hash function must satisfy three properties:
| Property | Description |
|---|---|
| Preimage resistance | Cannot reverse the digest to recover the original input |
| Second preimage resistance | Cannot find a different input with the same hash as a given input |
| Collision resistance | Cannot find any two different inputs with the same hash |
Collision resistance is the strongest requirement. MD5 and SHA-1 have lost it.
MD5 — Born in 1991, Retired from Security Work
Specification
MD5 (Message Digest Algorithm 5) was designed by Ron Rivest in 1991 and defined in RFC 1321. It produces a 128-bit digest and uses a Merkle–Damgård construction — iterative block processing — which later became the target of extension attacks.
Collision Attack History
- 2004: Xiaoyun Wang et al. found MD5 collisions
- 2008: Sotirov et al. created a rogue CA certificate using MD5 collision
- 2012: Flame malware forged a code-signing certificate (described above)
import hashlib
# MD5 — acceptable only for non-security checksums
digest = hashlib.md5(b"Hello, World!").hexdigest()
print(digest) # "65a8e27d8879283831b664bd8b7f0ad4"
Remaining Acceptable Uses
MD5 is only acceptable where security is not a concern:
- Download integrity verification (detecting transmission errors, not tampering)
- Cache key generation in non-adversarial contexts
- Non-cryptographic deduplication
SHA-1 — Two Decades of Dominance, Retired in 2017
Specification
SHA-1 is defined in NIST FIPS 180-4 as part of the Secure Hash Standard. It produces a 160-bit digest and was the dominant hash algorithm from roughly 1993 to 2005.
The SHAttered Attack (2017)
The SHAttered paper by Stevens et al. (CWI Amsterdam and Google Research), published in February 2017, was the first practical SHA-1 collision:
- Cost: Approximately 110 GPU-years of computation
- Evidence: Two distinct PDF files with identical SHA-1 hashes, publicly downloadable
- Consequence: Raised concrete concerns about Git's object model, which identifies objects by SHA-1
Git has since been migrating to SHA-256 for object identification (git hash-object --format sha256).
Current Status
NIST deprecated SHA-1 in 2011 and prohibits its use in TLS certificates after 2030. All major browsers already reject SHA-1-signed certificates. Git 2.29+ supports SHA-256 repositories.
SHA-256 — The Current Default Standard
Specification
SHA-256 is defined in NIST FIPS 180-4 (Secure Hash Standard), part of the SHA-2 family (SHA-224, SHA-256, SHA-384, SHA-512). It produces a 256-bit digest.
Like MD5 and SHA-1, SHA-256 uses Merkle–Damgård construction. The increased security comes from a larger block size (512 bits) and 64 rounds of processing, making collision attacks computationally infeasible with current hardware.
// Node.js
const { createHash } = require('crypto');
const hash = createHash('sha256')
.update('Hello, World!')
.digest('hex');
// "dffd6021bb2bd5b0af676290809ec3a53191dd81c7f70a4b28688a362182986d"
// File hashing (streaming — avoids loading entire file into memory)
const fs = require('fs');
async function hashFile(path) {
return new Promise((resolve, reject) => {
const hash = createHash('sha256');
fs.createReadStream(path)
.on('data', chunk => hash.update(chunk))
.on('end', () => resolve(hash.digest('hex')))
.on('error', reject);
});
}
Common Uses
- TLS/SSL certificate signatures (required by TLS 1.3 per RFC 8446)
- Code signing for application distribution
- Blockchain (Bitcoin uses SHA-256d = SHA-256(SHA-256(x)))
- HMAC-SHA256 for API request authentication
- Git object hashing (in SHA-256 repositories)
SHA-3 — A Completely Different Architecture as a Backup
Design: Sponge Construction
SHA-3 was standardized in NIST FIPS 202 (2015). It is based on the Keccak algorithm, which won NIST's hash algorithm competition (2007–2012).
SHA-3 uses a fundamentally different design called the Sponge Construction, not Merkle–Damgård.
Absorbing phase: input data is "absorbed" into an internal state
Squeezing phase: output bytes are "squeezed" from the internal state
The sponge construction natively eliminates length extension attacks — a weakness of Merkle–Damgård that SHA-256 can only mitigate via HMAC.
import hashlib
sha3_256 = hashlib.sha3_256(b"Hello, World!").hexdigest()
sha3_512 = hashlib.sha3_512(b"Hello, World!").hexdigest()
# SHAKE (variable-length output)
shake = hashlib.shake_256(b"Hello, World!").hexdigest(32) # 32-byte output
SHA-2 vs SHA-3: Complement, Not Replacement
SHA-3 is not meant to replace SHA-2. It is a backup — designed from entirely different principles so that a catastrophic break in SHA-2 would not affect SHA-3.
| Property | SHA-256 | SHA-3-256 |
|---|---|---|
| Digest length | 256 bits | 256 bits |
| Construction | Merkle–Damgård | Sponge |
| Hardware acceleration | Widely deployed | Growing |
| Software performance | Fast | Comparable to SHA-256 |
| Length extension attack | Vulnerable (mitigated by HMAC) | Immune |
BLAKE3 — The High-Speed Alternative
Specification
BLAKE3 was published in 2020. The official specification describes it as a successor to BLAKE2 (itself a finalist in the SHA-3 competition).
Speed Through Parallelism
BLAKE3's standout characteristic is its Merkle-tree internal structure, enabling SIMD vectorization and multi-threaded hashing.
Approximate throughput (x86-64, reference values):
BLAKE3: 2,000+ MB/s
SHA-256: 500–1,000 MB/s (without SHA-NI hardware extension)
SHA-3: 500–800 MB/s
MD5: 800–1,200 MB/s (fast but broken)
// Rust: canonical implementation
use blake3;
let hash = blake3::hash(b"Hello, World!");
println!("{}", hash.to_hex());
// Streaming for large inputs
let mut hasher = blake3::Hasher::new();
hasher.update(b"Hello, ");
hasher.update(b"World!");
let hash = hasher.finalize();
// JavaScript (Node.js)
const blake3 = require('blake3');
const hash = blake3.hash('Hello, World!');
console.log(hash.toString('hex'));
NIST Standardization Status
As of April 2026, BLAKE3 is not a NIST standard. NIST has not initiated a standardization process for BLAKE3. For regulated environments, government systems, or FIPS compliance requirements, BLAKE3 is not an eligible choice — use SHA-256 or SHA-3.
Comprehensive Comparison
| Algorithm | Digest Length | Speed (relative) | Security | NIST Standard | Use Case |
|---|---|---|---|---|---|
| MD5 | 128 bits | Fast | ❌ Broken | Deprecated | Non-security checksums only |
| SHA-1 | 160 bits | Fast | ❌ Collision proven | Deprecated | Avoid entirely |
| SHA-256 | 256 bits | Medium | ✓ Secure | FIPS 180-4 | General purpose |
| SHA-512 | 512 bits | Medium | ✓ Secure | FIPS 180-4 | High-security contexts |
| SHA-3-256 | 256 bits | Medium | ✓ Secure | FIPS 202 | SHA-2 backup / regulatory |
| BLAKE3 | 256 bits+ | Very fast | ✓ Secure | None (as of 2026) | High-throughput checksums |
Choosing by Use Case
File Integrity (Checksums)
Recommendation: SHA-256. Even though MD5 and SHA-1 can detect accidental corruption, if the checksum is distributed alongside the file on the same server, an attacker who compromises the server can replace both. SHA-256 provides no additional cost and is universally supported.
# Linux/macOS
sha256sum ubuntu-24.04-desktop-amd64.iso
shasum -a 256 ubuntu-24.04-desktop-amd64.iso
# Windows (PowerShell)
Get-FileHash file.iso -Algorithm SHA256
Use the File Hash Checker to verify file hashes in your browser.
Digital Signatures and TLS Certificates
SHA-256 (or SHA-384/SHA-512) only. TLS 1.3 (RFC 8446) mandates SHA-256 as part of its cipher suite requirements. SHA-384 is preferred for ECDSA P-384 key pairs.
HMAC for API Authentication
HMAC-SHA256. HMAC wraps SHA-256 in a construction that prevents length extension attacks without needing to use SHA-3.
import hmac
import hashlib
key = b'your-secret-key'
message = b'data to authenticate'
mac = hmac.new(key, message, hashlib.sha256).hexdigest()
# Constant-time comparison to prevent timing attacks
def verify_mac(received: str, expected: str) -> bool:
return hmac.compare_digest(received, expected)
Password Hashing
Never use SHA-256 or BLAKE3 directly for password hashing. They are too fast — a modern GPU can compute billions of SHA-256 hashes per second, making brute-force trivial.
Use a deliberately slow, memory-hard algorithm:
| Algorithm | Recommendation | Notes |
|---|---|---|
| Argon2id | Best | Winner of the 2015 Password Hashing Competition. Tunable time, memory, and parallelism. |
| bcrypt | Recommended | Battle-tested since 1999 |
| scrypt | Recommended | Memory-hard, harder to parallelize than bcrypt |
| PBKDF2 | Acceptable | NIST-recommended; weaker than alternatives for general use |
from argon2 import PasswordHasher
ph = PasswordHasher(
time_cost=3, # iterations
memory_cost=65536, # 64 MB
parallelism=2 # threads
)
# Hash
hash_value = ph.hash("user-password")
# Verify
try:
ph.verify(hash_value, "user-password") # returns True if match
except Exception:
pass # password mismatch
Use the Hash Generator to compute and compare hash values for any algorithm.
Summary
| Use Case | Recommended |
|---|---|
| General digital signatures / TLS | SHA-256 |
| HMAC for API authentication | HMAC-SHA256 |
| Password storage | Argon2id |
| High-throughput checksums (non-regulated) | BLAKE3 |
| NIST-regulated fallback | SHA-3-256 |
| File integrity checksums | SHA-256 (not MD5 or SHA-1) |
MD5 and SHA-1 remain present in legacy code, but there is no reason to use them in new development for security-sensitive purposes. SHA-256 for general cryptographic hashing, Argon2id for passwords — that is the practical standard in 2026.
References
- NIST FIPS 180-4 — Secure Hash Standard (SHA-2 family)
- NIST FIPS 202 — SHA-3 Standard (Keccak)
- RFC 1321 — The MD5 Message-Digest Algorithm
- SHAttered — Practical SHA-1 Collision — Stevens et al., 2017
- BLAKE3 Specification — O'Connor et al., 2020
- RFC 9106 — Argon2 Memory-Hard Function for Password Hashing