New from Septim Labs: $99 Septim Audit — 10-agent teardown of your SaaS in 48h. | Tip the founder ♥ | All 5 founder products — $169
← All Posts
hashingsecuritycryptographyMar 30, 2026 · 6 min read

SHA-256, SHA-512, and Hash Functions: A Developer's Guide

Hash functions are everywhere in software development: Git commits, password storage, file integrity checks, digital signatures, and blockchain. Understanding how they work and which algorithm to choose is essential knowledge for any developer working with data integrity or security.

What Is a Hash Function?

A cryptographic hash function takes an input of any size and produces a fixed-length output called a digest. Good hash functions have three critical properties: they are deterministic (same input always yields the same output), they are irreversible (you cannot reconstruct the input from the digest), and they are collision-resistant (it is computationally infeasible to find two inputs producing the same digest).

Even a single-bit change in the input produces a completely different digest. This avalanche effect is what makes hashing useful for verifying data integrity.

The SHA Family

  • SHA-1 (160-bit) — deprecated since 2017. Collision attacks have been demonstrated publicly. Do not use for any security-sensitive purpose.
  • SHA-256 (256-bit) — the workhorse of modern hashing. Used in TLS certificates, Bitcoin, Git (since migrating from SHA-1), and most API signature schemes. Offers a strong balance of speed and security.
  • SHA-384 (384-bit) — a truncated version of SHA-512, sometimes used in TLS cipher suites that need a middle ground.
  • SHA-512 (512-bit) — provides a larger digest and is actually faster than SHA-256 on 64-bit processors due to its use of 64-bit arithmetic. Preferred when maximum collision resistance is needed or when running on 64-bit hardware.

Why MD5 Is Deprecated

MD5 produces a 128-bit digest and was once the standard for checksums and password hashing. However, practical collision attacks were demonstrated in 2004, and today you can generate MD5 collisions on a laptop in seconds. MD5 is still acceptable as a non-cryptographic checksum for detecting accidental corruption, but it must never be used for security, digital signatures, or password storage.

Choosing the Right Hash

For most applications, SHA-256 is the right default. Use it for file integrity verification, HMAC-based API authentication, content addressing, and general-purpose checksums. Choose SHA-512 when working on 64-bit systems where performance matters or when a specification requires it.

For password storage specifically, do not use raw SHA hashes. Passwords need purpose-built algorithms like bcrypt, scrypt, or Argon2 that include salting and deliberate computational cost to slow brute-force attacks. Raw SHA is too fast, allowing attackers to test billions of candidates per second.

Practical Developer Use Cases

  • Verify downloaded file integrity against a published checksum
  • Generate content-addressable cache keys from request bodies
  • Create HMAC signatures for webhook payloads
  • Produce deterministic IDs from composite data fields
  • Validate data integrity during transfer between services

Hash Any String Instantly

Generate SHA-256, SHA-512, MD5, and other hashes directly in your browser. Our hash generator processes everything locally with no data sent to a server.

Open the Hash Generator →

Try Septim Forge Pro

22 developer tools, all running in your browser. Pro unlocks advanced tools for a one-time $9.

Get Pro — $9 Lifetime