MD5 vs SHA1 vs SHA256: Which to Use?

Quick Comparison of Three Algorithms

Algorithm  Output Bits  Hex Chars  Status
MD5        128          32         Broken (collision attacks practical)
SHA1       160          40         Broken (collision attacks demonstrated)
SHA256     256          64         Secure (no known practical attacks)

Performance (higher = faster):
MD5    ≈ 100%
SHA1   ≈ 80%
SHA256 ≈ 40%

SHA1 Security Status

SHA1's security status falls between MD5 and SHA256: more secure than MD5, but proven to no longer be secure. In 2017, Google and CWI Institute completed the first real SHA1 collision attack (the SHAttered project), generating two PDF files with different content but identical SHA1 values. This attack consumed approximately 6,500 CPU-years and 100 GPU-years of computation — enormous cost, but proving SHA1 is no longer secure against well-resourced attackers.

Major browsers and Certificate Authorities stopped accepting SHA1-signed TLS certificates starting 2016–2017. Git still uses SHA1 for object identification, but the practical collision threat in Git's use case is relatively manageable, and Git is already transitioning to SHA256.

Algorithm Recommendations by Scenario

• TLS/SSL certificate signing: SHA256 (required). MD5 and SHA1 certificates are not accepted by modern browsers.
• Git commit hashes: Historically SHA1; newer Git supports and recommends SHA256 (specify at init time)
• File integrity verification (tamper prevention): SHA256; MD5/SHA1 not recommended
• File deduplication/cache keys: MD5 or SHA1 (speed priority, usable when there's no security requirement)
• Password hashing: None of the three should be used alone for password hashing! Use bcrypt, Argon2, or PBKDF2
• HMAC (message authentication code): HMAC-SHA256 is the currently most widely used secure choice; HMAC-MD5 is no longer recommended

SHA1's Historical Significance

SHA1 was designed by NSA and published in 1995, long serving as the foundation of internet security infrastructure — TLS certificates, SSH keys, PGP/GPG signatures, Git version control, and more all used SHA1. With 32 more bits than MD5 (160 vs 128), it provided a stronger security margin, but was eventually broken as computing power increased. SHA1's retirement is a normal part of cryptographic evolution, reminding us that security standards must be updated over time.

Length Extension Attack: A Shared Weakness

MD5, SHA1, and SHA256 are all based on Merkle-Damgård construction, making all three vulnerable to Length Extension Attacks. This attack allows an attacker to compute the hash of hash(secret + message + attacker_controlled) without knowing the original message content. The fix is to use HMAC (wrapping the message with a key), or to use SHA-3 which is not affected by this attack.

Simple Decision Tree

Is this security-sensitive?
├─ YES → Use SHA256 (or SHA-3/SHA-512)
│        Never use MD5 or SHA1
└─ NO (e.g., deduplication, caching)
   ├─ Speed critical? → MD5 (simple, fast)
   └─ Otherwise → SHA256 (future-proof)