Published April 14, 2026 · By Tom Cannon
You've probably seen a string of random-looking characters next to a download link — something like "SHA-256: e3b0c44298fc1c14..." and wondered what it means. That string is a hash, and it's one of the most important tools in computing for ensuring data integrity. Here's why you should care.
A hash function takes any input — a file, a message, a password — and produces a fixed-size string called a hash value, digest, or checksum. Think of it as a digital fingerprint: unique to that specific input, consistent every time, and practically impossible to reverse. If even one bit of the input changes, the hash changes completely. This is called the avalanche effect.
SHA-256, the most widely used hash algorithm today, always produces a 64-character hexadecimal string (256 bits) regardless of whether the input is a single letter or a 100 GB file.
Download verification: When you download software (especially from mirrors or third-party sites), comparing the file's hash against the publisher's official hash confirms the file is authentic and uncorrupted. If the hashes don't match, the file was modified — possibly by a man-in-the-middle attack, corruption during transfer, or tampering at the mirror site. Password storage: Responsible websites never store your actual password. They store a hash of your password. When you log in, the site hashes what you typed and compares it to the stored hash. Even if the database is breached, the attacker gets hashes, not passwords — and hashes can't be reversed to recover the original passwords (though weak passwords can be cracked via dictionary attacks). Digital signatures: When you digitally sign a document or software update, the signature is computed over the hash of the content. This proves the content hasn't been modified since it was signed. Data deduplication: Cloud storage and backup services use hashes to identify duplicate files. If two files have the same hash, they're identical — no need to store both copies. Blockchain: Cryptocurrency systems are built on hash functions. Bitcoin mining is essentially a race to find a number that, when combined with the block data and hashed, produces a result with a certain number of leading zeros.
MD5 (128 bits) — Once the standard, now considered broken for security purposes. Collision attacks (finding two different inputs with the same hash) have been demonstrated practically. Still used for non-security checksums but should not be relied upon for integrity verification. SHA-1 (160 bits) — Stronger than MD5 but also considered weak. Google demonstrated a practical collision attack in 2017. Still used in Git but being phased out. SHA-256 (256 bits) — The current standard. No known practical attacks. Used in SSL/TLS, Bitcoin, code signing, and most modern integrity verification. SHA-512 (512 bits) — Larger output, slightly stronger security. Paradoxically, it's actually faster than SHA-256 on 64-bit processors.
Most operating systems have built-in tools. On Windows PowerShell: Get-FileHash file.zip -Algorithm SHA256. On macOS/Linux terminal: sha256sum file.zip or shasum -a 256 file.zip. Compare the output character by character against the published hash. They must be identical.
For hashing text strings — useful for learning, testing, or generating checksums for short data — our SHA hash generator computes SHA-1, SHA-256, SHA-384, and SHA-512 instantly in your browser.
Always verify hashes when downloading operating system ISOs (Windows, Linux distros), security-critical software (password managers, encryption tools), cryptocurrency wallets, large files from mirror sites, and files from untrusted or unknown sources. It takes 10 seconds and could save you from running compromised software.
Free weekly tips on image optimization, PC gaming, and web development. No spam.
We respect your privacy. Unsubscribe anytime.