What is a Hash?
A cryptographic hash function takes any input (a password, a file, a message) and produces a fixed-length string of characters. It's like a fingerprint for data.
Input: "hello"
SHA-256: 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824
Input: "hello!"
SHA-256: ce06092fb948d9ffac7d1a376e404b26b7575bcc11ee05a4615fef4fec3a308b
Change one character and the entire hash changes. This is called the "avalanche effect."
Key Properties
| Property | Meaning |
|---|---|
| Deterministic | Same input always produces same output |
| One-way | Can't reverse a hash to get the original input |
| Fixed length | Output is always the same size regardless of input |
| Collision resistant | Extremely hard to find two inputs with the same hash |
| Avalanche effect | Small input change = completely different output |
Common Hash Algorithms
| Algorithm | Output Size | Status | Use Case |
|---|---|---|---|
| MD5 | 128 bits (32 hex chars) | Broken | File checksums (not security) |
| SHA-1 | 160 bits (40 hex chars) | Deprecated | Legacy systems |
| SHA-256 | 256 bits (64 hex chars) | Secure | General purpose, Bitcoin |
| SHA-512 | 512 bits (128 hex chars) | Secure | High security needs |
| bcrypt | 184 bits | Secure | Password storage |
| Argon2 | Configurable | Secure | Modern password storage |
Where You'll See This
- Password storage - Sites store hashes, not your actual password
- File integrity - Verify downloads haven't been tampered with
- Git commits - Every commit has a SHA-1 hash identifier
- Blockchain - Transactions linked by hashes
- Digital signatures - Sign a hash of a document, not the document itself
- Caching - Hash URLs/data to create cache keys
Password Hashing
⚠️Never Store Plain Passwords
Always hash passwords before storing. Use bcrypt, Argon2, or PBKDF2—NOT MD5 or SHA-256 alone. Password-specific algorithms include "salting" and are intentionally slow.
javascript
// BAD - Never do this
const password = "user123";
db.save({ password }); // Plain text!
// ALSO BAD - Too fast, no salt
const hash = sha256(password);
// GOOD - Using bcrypt
const hash = await bcrypt.hash(password, 10);
// Stores: $2b$10$N9qo8uLOickgx2ZMRZoMy...
Hashing vs Encryption
| Hashing | Encryption | |
|---|---|---|
| Reversible | No | Yes (with key) |
| Purpose | Verify data integrity | Protect data confidentiality |
| Output size | Fixed | Varies with input |
| Example | Password storage | Sending secret messages |
Common Gotchas
- MD5 is broken - Don't use for security. Two different files can have the same MD5.
- Rainbow tables - Precomputed hash lookups. That's why you need salts for passwords.
- Speed is bad for passwords - Fast hashing means fast brute-forcing. Use slow algorithms.
- Hash !== Encryption - You can't "decrypt" a hash. They're fundamentally different.
In Code
javascript
// Browser (Web Crypto API)
async function sha256(message) {
const encoder = new TextEncoder();
const data = encoder.encode(message);
const hash = await crypto.subtle.digest('SHA-256', data);
return Array.from(new Uint8Array(hash))
.map(b => b.toString(16).padStart(2, '0'))
.join('');
}
// Node.js
const crypto = require('crypto');
const hash = crypto.createHash('sha256')
.update('hello')
.digest('hex');
Try It
Generate Hash"The beauty of hashing: you can prove you know something without revealing what you know."