Skip to content
VuConvert

Developer

What Is a Hash and How Is It Used for Passwords?

May 25, 2026 · 5 min read

Hashing is how websites store passwords without actually storing them. Here's what SHA-256 and MD5 mean in plain English.

When you create a password on a website, the site doesn't store your actual password. It runs it through a hash function and stores the result. When you log in, it hashes what you typed and compares it to the stored hash. If they match, you're in. Your actual password never sits in anyone's database.

What makes a hash function special

A hash function has three key properties. First, it's one-way: given the hash, you can't work backwards to the original input. Second, it's deterministic: the same input always produces the same hash. Third, it's sensitive: changing a single character in the input produces a completely different hash.

These properties make hashes useful for verification without storage. The website can verify you know the password without ever needing to know what it is.

SHA-256 vs MD5

MD5 produces a 32-character hash and was once the standard. It's now considered cryptographically broken — not because someone reversed the hash, but because researchers found ways to create two different inputs that produce the same hash (a 'collision'). For anything security-sensitive, MD5 should not be used.

SHA-256 (part of the SHA-2 family) produces a 64-character hash and is currently considered secure. It's the standard for modern password storage, digital signatures, and data integrity verification. SHA-384 and SHA-512 are longer variants offering additional security margin.

Common uses for hash generators

  • Verifying a downloaded file hasn't been tampered with — compare the hash on the website to the hash of your download.
  • Checking data integrity — hash a file before and after transfer to confirm it arrived intact.
  • Development and testing — generating test checksums, building cache keys.
  • Learning and exploration — understanding how a small input change produces a completely different hash.

Hashing is not encryption

Encryption is two-way: you can decrypt ciphertext back to plaintext with the right key. Hashing is one-way: you cannot reverse a hash to get the original input. This distinction matters. Encrypted passwords can be decrypted if the key is compromised. Hashed passwords cannot be reversed — attackers can only try inputs and compare hashes.

Hash generators run entirely in your browser — your input never leaves your device. Useful when you need to hash something sensitive and don't want it travelling to a server.

Tools mentioned in this article

Hash Generator

SHA-1/256/384/512 and MD5 hashes.

UUID Generator

Generate v4 UUIDs in bulk.

Base64 Encode / Decode

Encode or decode Base64 text and data URLs.

← All articles