How to Hash a Password — MD5, SHA-256 & Bcrypt Guide

Password hashing is one of the most critical steps in securing user data. Whether you're building an application, managing credentials, or simply trying to understand how password storage works, this guide covers the three most common hashing algorithms — MD5, SHA-256, and Bcrypt — and explains when to use each.

What Is Password Hashing?

Hashing is a one-way transformation that converts an input (like a password) into a fixed-length string of characters. Unlike encryption, hashing is designed to be irreversible — you cannot derive the original password from its hash. This makes it ideal for storing passwords securely: even if your database is compromised, attackers only see hashes, not plaintext passwords.

A good hashing algorithm produces a completely different output even for inputs that differ by a single character. This property, called theavalanche effect, ensures that similar passwords produce unrelated hashes.

MD5 Hashing

MD5 (Message Digest 5) produces a 128-bit hash value, typically displayed as a 32-character hexadecimal string. It was designed by Ronald Rivest in 1991 and was once widely used for checksums and password storage.

Input: password123

MD5: 482c811da5d5b4bc6d497ffa98491e38

⚠️ Security Warning: MD5 is cryptographically broken. Collision attacks can generate identical hashes for different inputs in seconds. MD5 should never be used for password storage — it remains useful only for non-security checksums like file integrity verification.

SHA-256 Hashing

SHA-256 (Secure Hash Algorithm 256-bit) is part of the SHA-2 family designed by the NSA. It produces a 256-bit hash, displayed as a 64-character hexadecimal string. SHA-256 is significantly more secure than MD5 and is used in blockchain, TLS certificates, and digital signatures.

Input: password123

SHA-256: ef92b778bafe771e89245b89ecbc08a44a4e166c06659911881f383d4473e94f

While SHA-256 is much stronger than MD5, it is a fast hash — modern GPUs can compute billions of SHA-256 hashes per second. This makes it vulnerable to brute-force and rainbow table attacks when used for password storage without additional measures like salting.

Bcrypt Hashing

Bcrypt is a password-hashing function specifically designed for storing passwords. Based on the Blowfish cipher, it includes a built-in salt and is intentionally slow — the work factor can be increased over time as hardware gets faster.

Input: password123

Bcrypt: $2a$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy

The $2a$10$ prefix encodes the algorithm version and cost factor. A cost factor of 10 means 210 (1,024) iterations — making each hash approximately 100,000 times slower than a single SHA-256 computation. This is the recommended approach for password storage.

Comparison: Which Should You Use?

FeatureMD5SHA-256Bcrypt
Output Length128-bit256-bit184-bit
SpeedVery fastFastSlow (by design)
Built-in SaltNoNoYes
Password Storage❌ Never⚠️ Only with salt✅ Recommended

Try It Online

Generate a Password Hash Instantly

Use ToolStack's free online generators to hash passwords with MD5, SHA-256, or Bcrypt — no installation required. Paste your password, choose an algorithm, and get the hash in seconds.

Best Practices

  • Never store plaintext passwords. Always hash before saving to a database.
  • Use Bcrypt, Argon2, or Scrypt for password storage. Avoid MD5 and unsalted SHA hashes.
  • Add a unique salt to each password before hashing. Bcrypt handles this automatically.
  • Increase the cost factor over time as hardware improves. A cost of 10-12 is reasonable for most applications.
  • Consider password entropy. A longer passphrase is often more secure than a short complex password.

Related Tools