Hash Function Demo

Compare cryptographic hash functions and explore security properties

Input Text

Hash Outputs

MD5 ⚠️ BROKEN
Length: 128 bits (32 hex)
SHA-1 ⚠️ DEPRECATED
Length: 160 bits (40 hex)
SHA-256 ✅ SECURE
Length: 256 bits (64 hex)
SHA-512 ✅ SECURE
Length: 512 bits (128 hex)

Avalanche Effect Demonstration

Change one character in the input and see how many bits change in the hash output.

Bit Difference Visualization

Gray = Same bit | Red = Different bit

Collision Resistance Test

Try to find two different inputs that produce the same hash. (Spoiler: You won't succeed with SHA-256!)

Hash Statistics

Help

What is a Hash Function?

A hash function is a one-way mathematical function that converts input data of any size into a fixed-size output called a hash or digest.

Key properties:

  • Deterministic: Same input always produces same output
  • Fast: Quick to compute
  • One-way: Cannot reverse the hash to get original input
  • Avalanche effect: Small change in input causes large change in output
  • Collision resistant: Hard to find two inputs with same output
Why are MD5 and SHA-1 Broken?

MD5 and SHA-1 are considered cryptographically broken because researchers have demonstrated practical collision attacks - creating two different inputs that produce the same hash.

Real-world impacts:

  • MD5: The Flame malware (2012) used MD5 collisions to forge a Microsoft certificate
  • SHA-1: The SHAttered attack (2017) generated two different PDFs with identical SHA-1 hashes

Current status:

  • MD5: Should not be used for any security purpose
  • SHA-1: Being phased out, major browsers no longer trust SHA-1 certificates
  • Use SHA-256 or SHA-512 for all new applications
What is the Avalanche Effect?

The avalanche effect means that changing even a single bit in the input should change approximately half of the bits in the output hash.

Why it matters: This property prevents attackers from finding patterns or relationships between similar inputs, making the hash function more secure.

Example: Changing "hello" to "Hello" (one character) completely transforms the SHA-256 hash - approximately 50% of the bits flip.

What is Collision Resistance?

Collision resistance means it should be computationally infeasible to find two different inputs that produce the same hash output.

Birthday paradox: Due to the birthday paradox, you'd expect to find a collision after approximately 2^(n/2) attempts for an n-bit hash.

Security levels:

  • MD5 (128-bit): ~2^64 attempts - achievable
  • SHA-1 (160-bit): ~2^80 attempts - demonstrated
  • SHA-256 (256-bit): ~2^128 attempts - infeasible
  • SHA-512 (512-bit): ~2^256 attempts - far beyond current capability
When to Use Which Hash Function?
  • Password Storage: Use bcrypt, Argon2, or PBKDF2 (NOT plain SHA-256!)
  • File Integrity: SHA-256 or SHA-512
  • Digital Signatures: SHA-256 or SHA-512
  • Checksums (non-security): CRC32 or MD5 (faster, but not secure)
  • Blockchain: SHA-256 (Bitcoin) or other specialized functions
  • Legacy Systems: May still require MD5/SHA-1, but migrate when possible
Common Use Cases
  • Digital Signatures: Hash the message before signing (faster than signing entire message)
  • Password Storage: Store hash of password, not plaintext
  • File Integrity: Verify downloads by comparing computed hash with published hash
  • Git: Uses hashes to identify commits and detect changes
  • Blockchain: Bitcoin uses double SHA-256 for mining and transactions
  • Data Deduplication: Identify duplicate files by comparing hashes
What Hashes DON'T Do

Common misconceptions about hash functions:

  • Encryption: Hashes are one-way and cannot be decrypted
  • Password Protection: Plain hashing is not enough - need salting and key stretching
  • Message Authentication: Need HMAC or digital signatures, not just hashing
  • Brute-force Protection: Weak passwords can still be cracked via rainbow tables