Hash functions in practice
Cryptographic hash functions compress any amount of data into a fingerprint that cannot be reversed, making them indispensable for verification workflows.
Choosing the right algorithm
MD5 is fast but considered cryptographically broken - use only for checksums where collision resistance isn't critical.
SHA-1 is deprecated for security but still used in legacy systems. For new projects, prefer SHA-256 or stronger.
SHA-256 offers a good balance of security and performance, while SHA-512 provides maximum security for sensitive applications.
Integrity versus authenticity
A hash alone proves integrity—if the digest matches, the file was not tampered with after hashing.
To prove authenticity, combine the hash with a digital signature or HMAC so you can also verify who produced it.
Output formats explained
Hexadecimal (hex) is the most common format, producing a string of 0-9 and a-f characters.
Base64 encoding produces a shorter output and is useful when embedding hashes in JSON or URLs.
Where hashes add value
- Publishing checksum files alongside software downloads
- Comparing large backups without transferring all bytes
- Detecting duplicate assets inside CDN or media libraries
- Verifying file integrity after download or transfer
Operational tips
- Store the algorithm name with every digest so future audits know which function was used
- Hash the canonical representation of structured data (sorted JSON keys) to avoid false mismatches
- Never reuse hashes for password storage—use dedicated password hashers such as bcrypt or Argon2
- Use the compare feature to verify downloaded files against published checksums