When to Use MD5, SHA-1, or SHA-256

MD5 and SHA-1 are considered cryptographically broken for security purposes. That doesn't mean they're useless — they're still widely used for non-security purposes where collision resistance doesn't matter. Knowing the distinction prevents both unnecessary paranoia and inappropriate trust.

Algorithm overview

When MD5 is still appropriate

File integrity checksums. MD5 checksums are used to verify that a file download completed correctly — detecting accidental corruption, not deliberate tampering. If you download a file and the MD5 matches what the server published, the file arrived intact. This isn't a security use; it's a transmission verification use where MD5's known weaknesses don't matter.

Cache keys and partitioning. MD5 is fast and produces well-distributed values. Using MD5 of a URL or content to generate a cache key is fine — there's no security concern here.

Legacy system compatibility. Systems built in the 1990s and early 2000s often use MD5 for internal operations. Replacing these with SHA-256 is desirable but not always immediately feasible.

When SHA-1 is still encountered

SHA-1 was the standard for many years and remains in Git's object model (though Git is migrating to SHA-256). It appears in older TLS certificates (which should no longer be issued), older SSH fingerprints, and various legacy checksum schemes. Most active use of SHA-1 is legacy code that hasn't been updated.

Do not use SHA-1 for new code. SHA-256 is fast enough for any context where SHA-1 was appropriate.

When SHA-256 is required

Use SHA-256 (or stronger) for: digital signatures, HMAC message authentication, TLS/SSL certificate signing, password hashing inputs (though BCrypt/Argon2 are better for passwords), JWT signing (HS256 uses HMAC-SHA-256), and any context where an attacker might try to find two inputs that produce the same hash.