What Is a Hash Function? A Plain-English Guide with Examples
A hash function is a one-way algorithm that converts any input — a word, a file, or a password — into a fixed-length string of characters called a hash (or digest). The same input always produces the same hash, but you cannot reverse a hash back into the original input.
That single idea powers an enormous amount of modern computing: password storage, file integrity checks, digital signatures, blockchains, and the data structures behind hash tables. This guide explains what a hash function is, how it works, what makes a good one, and where you'll run into hashing as a developer.
How a Hash Function Works
A hash function takes an input of any length and returns an output of fixed length. Feed it one character or a 4 GB video file — the SHA-256 hash is always 64 hexadecimal characters (256 bits).
hash("hello") = 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824
hash("hello world") = b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9
hash("Hello") = 185f8db32271fe25f561a6fc938b2e264306ec304eda518007d1764826381969
Notice two things:
- Determinism —
hash("hello")always returns the same value, on any machine, forever. - The avalanche effect — changing a single character (
hello→Hello) produces a completely different hash. There's no partial similarity to exploit.
Internally, the function mixes the input bytes through rounds of bitwise operations, modular addition, and compression until the output is thoroughly scrambled and uniformly distributed.
The 5 Properties of a Cryptographic Hash Function
Not every hash function is suitable for security. A cryptographic hash function must satisfy five properties:
| Property | What it means |
|---|---|
| Deterministic | The same input always yields the same output. |
| Fast to compute | Computing the hash of any input is quick. |
| Pre-image resistant | Given a hash, you can't feasibly find the original input. |
| Collision resistant | You can't find two different inputs with the same hash. |
| Avalanche effect | A tiny input change drastically changes the output. |
When any of these break — as has happened with MD5 and SHA-1, where researchers found practical collisions — the algorithm is considered "broken" for security and should be replaced.
Hashing vs Encryption vs Encoding
These three are constantly confused. The difference is reversibility:
- Hashing is one-way. You cannot recover the input. Used to verify data (passwords, checksums).
- Encryption is two-way. With the right key, ciphertext can be decrypted back to plaintext. Used to conceal data.
- Encoding (like Base64) is not security at all — it's a reversible format change anyone can undo.
If someone says they "encrypted the passwords with SHA-256," they're mistaken — SHA-256 is hashing, not encryption.
Common Hash Algorithms
| Algorithm | Output size | Status | Typical use |
|---|---|---|---|
| MD5 | 128-bit | ❌ Broken | Legacy checksums only |
| SHA-1 | 160-bit | ❌ Broken | Deprecated |
| SHA-256 | 256-bit | ✅ Secure | General-purpose, certificates, blockchains |
| SHA-512 | 512-bit | ✅ Secure | High-security hashing |
| bcrypt / Argon2 | varies | ✅ Secure | Password hashing (deliberately slow) |
A key nuance: for passwords, you actually want a slow hash like bcrypt or Argon2, not a fast one like SHA-256. Speed helps attackers brute-force billions of guesses, so password hashes are intentionally expensive to compute.
What Hash Functions Are Used For
- Password storage — sites store the hash of your password, never the password itself. At login, they hash your input and compare.
- File integrity — download pages publish a SHA-256 checksum so you can verify the file wasn't corrupted or tampered with.
- Digital signatures — you sign the hash of a document, not the whole document, because it's fixed-size.
- Data structures — hash tables (dictionaries, maps) use non-cryptographic hashes to index data in near-constant time.
- Deduplication & caching — identical files produce identical hashes, making duplicates trivial to detect.
Try It Yourself
The fastest way to understand hashing is to watch it happen. Paste any text into our SHA-256 Hash Generator and change one character — you'll see the entire output transform. Compare algorithms side by side with the MD5 and SHA-512 generators, and for keyed hashing (message authentication), see the HMAC Generator.
Frequently Asked Questions
What is a hash function in simple terms? It's a function that turns any data into a fixed-length "fingerprint." The same data always gives the same fingerprint, but you can't work backward from the fingerprint to the data.
How does a hash function work? It runs the input bytes through many rounds of mathematical mixing (bit shifts, modular addition, compression) until the output is uniformly scrambled and fixed in length.
Can a hash be reversed? No. A secure hash is one-way by design. The only way to "reverse" it is to guess inputs and hash them until one matches — which is why strong, slow hashing matters for passwords.
What makes a good cryptographic hash function? It must be deterministic, fast, pre-image resistant, collision resistant, and exhibit the avalanche effect. SHA-256 meets all five; MD5 and SHA-1 no longer do.
What's the difference between hashing and encryption? Hashing is one-way and used to verify data. Encryption is two-way (reversible with a key) and used to hide data so it can be read again later.
Related Reading
- SHA-1 vs SHA-256 vs SHA-512: Which Should You Use?
- What Is HMAC?
- bcrypt vs Argon2: Choosing a Password Hashing Algorithm
A hash function is one of the simplest ideas in cryptography and one of the most useful. Once you internalize "fixed-length, deterministic, one-way," most of modern security tooling starts to make sense.