MD5 vs SHA-256: Which Hash Should You Use in 2026?
MD5 vs SHA-256 explained: speed, security, output length, collision attacks, and real-world use cases. Why SHA-256 is the modern default and where MD5 still survives.
Tutorials and explainers covering everything from "is MD5 still safe?" to "how to verify a Linux ISO download." Written for developers, sysadmins, and the curious. All articles are evergreen — no news, no fluff.
MD5 vs SHA-256 explained: speed, security, output length, collision attacks, and real-world use cases. Why SHA-256 is the modern default and where MD5 still survives.
MD5 has been cryptographically broken since 2004 — but it's still everywhere. A practical guide to when MD5 is acceptable, when it's dangerous, and what to use instead.
Step-by-step guide to verifying SHA-256 checksums on Windows (PowerShell, CertUtil), macOS (shasum), Linux (sha256sum), and in the browser without installing anything.
bcrypt, Argon2id, scrypt, and PBKDF2 compared for password storage. OWASP 2026 recommendations, cost factor tuning, memory hardness, and which one to choose for new code.
Hash functions explained without the math. What hashing is, how it works, where you encounter it (passwords, file integrity, blockchain), and the difference between cryptographic and non-cryptographic hashes.
A salt is what stops attackers from cracking everyone's password at once. Plain-English guide to salts, peppers, rainbow tables, and how bcrypt and Argon2 handle salts automatically.
SHA-1 was the web's default hash from 1995 to 2017. Then SHAttered happened. Why SHA-1 is deprecated, where it still lingers, and what to use instead in 2026.
The bcrypt cost factor controls how slow your password hash is. OWASP 2026 recommendations, how to benchmark on your hardware, and when to upgrade existing hashes.
CRC-32 vs Adler-32 vs MD5 for non-security checksums. Speed, collision rate, error detection, and which one belongs in your network protocol, archive format, or file dedup system.
Verify Ubuntu, Fedora, Debian, and other Linux ISO downloads with SHA-256 — and check the signature on the SHA256SUMS file to confirm it's authentic. Complete walkthrough.
FNV-1a and DJB2 are the two classic non-cryptographic string hashes for in-memory hash tables. How they work, how they compare, and when to reach for something else.
SHA-224 is SHA-256 with truncated output. The math is nearly identical — but the use cases are narrower. When SHA-224 makes sense and when SHA-256 is the right call.
SHA-384 is SHA-512 with truncated output and different initial values. When to use the shorter variant, when SHA-512 is the right call, and why both are faster than SHA-256 on 64-bit CPUs.
Real password-storage mistakes from real breaches — from MD5 in 2024 to homemade salts to broken upgrade paths. Don't ship any of these.
Hash collisions explained: the birthday paradox, the SHAttered SHA-1 break, the MD5 forged certificate, and why SHA-256 is still safe. A plain-English guide.