Hashing explained — what MD5 and SHA-256 are for (and what they're not)
What a hash actually is, why you can't reverse one, where MD5 is still fine and where it's dangerous, and how to generate hashes locally.
A hash function takes any input — a word, a file, a gigabyte of video — and turns it into a fixed-length string of characters that looks random. The same input always produces the same hash; change a single byte and the hash changes completely. That second property is the whole reason hashes are useful, and it's worth understanding before you reach for one.
You can't undo a hash
The key thing: hashing is one-way. From the input you can always compute the hash, but from the hash you can't get the input back. There's no decrypt button, because no encryption happened — information is genuinely thrown away.
This is exactly why passwords get stored as hashes rather than plain text: if the database leaks, attackers have the hashes, not the passwords. And it's what makes a hash a perfect fingerprint — download a file, hash it, compare against the hash the publisher posted. Match means the file arrived intact and untampered. A single flipped bit in transit and the hashes won't match, so you'll know.
Where MD5 is fine and where it'll burn you
MD5 and SHA-1 are old and cryptographically broken — attackers can deliberately craft two different inputs that produce the same hash (a "collision"). So the line is:
- Don't use MD5 or SHA-1 for anything security-sensitive: password storage, digital signatures, verifying a download came from who you think. A determined attacker can game them.
- It's fine to use MD5 as a fast, non-security checksum — deduplicating files, a quick "did this change?" check, cache keys. Nobody's mounting a collision attack on your cache key.
For anything that matters, use SHA-256 (or SHA-512). They have no known practical collision attacks and are the sensible default in 2026.
| Algorithm | Status | Use for |
|---|---|---|
| MD5 | Broken | Fast checksums, dedup — never security |
| SHA-1 | Broken | Legacy only; avoid in new code |
| SHA-256 | Strong | The default for anything that matters |
| SHA-512 | Strong | Same, when you want a longer digest |
A hash is not encryption
Worth saying plainly, because the words get muddled: encryption is reversible if you have the key; hashing is reversible by no one. If you need to get the original data back later, you want encryption. If you only ever need to check something against a known value, you want a hash.
A neat consequence: because the same input always hashes to the same output, you can verify a password without ever storing it. Hash what the user typed, compare it to the stored hash, and you've checked the password while never keeping the password itself.
Generating them safely
Primova's Hash Generator produces MD5, SHA-1, SHA-256, and SHA-512 from text or a file, computed entirely in your browser with the Web Crypto API. That "in your browser" part isn't a footnote — if you're hashing something to check it, you almost certainly don't want to upload it to a server to do so. The file or text never leaves your machine.
Paste a string to fingerprint it, or drop in a download to verify it against the checksum the publisher listed. It's instant, and there's nothing to install: Hash Generator.