The core idea
A hash function takes any input — a word, a file, a document — and produces a fixed-length output called a hash (or digest). No matter how big the input, the output is always the same length.
For SHA-256, the output is always 64 hexadecimal characters (256 bits):
- Input:
"hello"→2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824 - Input:
"hello world"→b94d27b9934d3e08a52e52d7da7dabfac484efe04294e576ece096b1c0c6e8e4(completely different) - Input: the entire works of Shakespeare → still 64 characters
The three properties that make hashes useful
1. Deterministic:the same input always produces the same output. Hash "hello" a billion times and you always get the same 64 characters.
2. One-way (pre-image resistant): given the hash output, you cannot compute the original input. You can verify that an input matches a hash, but you cannot reverse the hash to get the input.
3. Collision resistant: two different inputs should not produce the same hash. A good hash function makes finding a collision (two inputs with the same hash) computationally infeasible.
Real-world uses
File integrity verification
When you download software, the website often publishes a SHA-256 hash of the file. You hash the downloaded file yourself and compare. If they match, the file was not tampered with in transit. If they differ, the download was corrupted or modified.
Password storage
Databases store a hash of your password, not the password itself. When you log in, the system hashes your input and compares it to the stored hash. The database never holds your actual password — if it is breached, the attacker gets hashes, not plaintext passwords.
For passwords specifically, slow hashing algorithms like bcrypt are preferred — they are deliberately designed to be computationally expensive, making brute-force attacks slow.
Git commit IDs
Every Git commit has a SHA-1 hash (Git is migrating to SHA-256 in newer versions). This hash represents the exact state of the code, who made the commit, when, and the parent commit. Change any one character in the commit contents and the hash changes completely — ensuring the integrity of version history.
Blockchain
Each block in a blockchain contains the hash of the previous block. This creates a chain — changing any historical block changes its hash, which invalidates every subsequent block. The hash links are what make blockchain immutable.
Which hash function to use
| Use case | Recommended | Avoid |
|---|---|---|
| Password storage | bcrypt, Argon2id, scrypt | MD5, SHA-1, SHA-256 (too fast) |
| File integrity | SHA-256, SHA-3 | MD5, SHA-1 (broken) |
| Digital signatures | SHA-256, SHA-384 | MD5, SHA-1 |
| Non-security checksums | CRC32, xxHash (fast) | N/A — any works |
Generate hashes free
Test hash functions with real input using these free tools:
- SHA-256 hash generator
- MD5 hash generator
- Bcrypt generator and verifier
- Multi-algorithm hash generator (MD5, SHA-1, SHA-256, SHA-512)
All tools run in your browser — your input is never sent to any server.
Summary
- A hash function converts any input to a fixed-length output
- They are deterministic, one-way, and collision resistant
- Used for file integrity, password storage, Git, and blockchain
- Use bcrypt/Argon2 for passwords; SHA-256 for file checksums and signatures
- MD5 and SHA-1 are broken for security purposes — do not use them for new systems