MD5 vs SHA-256: Which Hash Should You Use?
MD5 is still everywhere. SHA-256 is the default you should reach for. Here is when each one is acceptable, and when using MD5 is an actual security bug.
The short answer
- Integrity with adversaries in the mix? Use SHA-256.
- Non-adversarial integrity (cache keys, dedup, ETags)? MD5 is fine.
- Anything touching auth, signatures or tamper detection? SHA-256 or better — MD5 is broken.
Why MD5 is broken
MD5 has had practical collision attacks since 2004. That means an attacker can produce two different inputs with the same MD5. For threat intel feeds, malware distribution, and digital signatures, that is game over.
It does not mean MD5 becomes useless overnight. Computing and comparing MD5s is fast, and collisions have to be crafted — you will not hit one by accident. So MD5 remains fine for:
- Content-addressable caches
- Deduplication
- Change detection on non-adversarial data
- Quick file fingerprints for internal tooling
Why SHA-256 is the default
SHA-256 (SHA-2 family) has no known practical collision attack. It is fast enough on modern hardware that the "MD5 is cheaper" argument rarely survives a benchmark on real workloads.
If you are writing new code today, default to SHA-256. For password hashing, do not use either — use Argon2id or bcrypt.
Side-by-side
| Property | MD5 | SHA-256 |
|---|---|---|
| Output size | 128 bits | 256 bits |
| Collision resistance | Broken | Intact |
| Performance | Slightly faster | Fast |
| Use for signatures | ❌ | ✅ |
| Use for cache keys | ✅ | ✅ |
Want to play with both? Try the hash generator tool.
If you are still hashing IOCs with MD5 only, start shipping SHA-256 alongside. Every modern threat intel feed does.