What Is MD5 — and Is It Still Secure in 2026?
MD5 (Message-Digest Algorithm 5) is a hash function that turns any input into a fixed 128-bit value, written as 32 hexadecimal characters. It's fast and still widely seen, but it is cryptographically broken: practical collision attacks make it unsafe for passwords, digital signatures, or any security purpose. Today it's acceptable only for non-security checksums.
Here's what MD5 is, why it failed, and what to use in its place.
What MD5 Is
Designed by Ron Rivest in 1991, MD5 became the default hash for decades — verifying downloads, storing passwords, and signing data. It produces a compact, consistent output:
MD5("") = d41d8cd98f00b204e9800998ecf8427e
MD5("password") = 5f4dcc3b5aa765d61d8327deb882cf99
Like any hash function, it's deterministic (same input → same output) and one-way in intent. You can try it in our MD5 Hash Generator.
How MD5 Works (Briefly)
MD5 pads the input, splits it into 512-bit blocks, and runs each block through 64 operations across four rounds, continuously mixing a 128-bit internal state with bitwise functions and modular addition. The final state is the digest. It's computationally cheap — which, as we'll see, is now part of the problem.
Why MD5 Is No Longer Secure
A secure hash must be collision resistant — it should be infeasible to find two inputs with the same hash. MD5 fails this badly:
- 2004: researchers demonstrated practical MD5 collisions.
- 2008: a team forged a rogue CA certificate using an MD5 collision.
- Today: collisions can be generated in seconds on a laptop.
Because two different files can share an MD5 hash, an attacker can swap a legitimate file for a malicious one without changing its checksum. That destroys MD5's value for signatures, certificates, and integrity guarantees against an adversary.
On top of collisions, MD5 is far too fast for password hashing — a GPU can compute billions of MD5 hashes per second, making brute-force and rainbow-table attacks trivial.
MD5 Is Hashing, Not Encryption
A common mistake: "the password was MD5-encrypted." MD5 is hashing, which is one-way — there's nothing to decrypt. So-called "MD5 decrypt" sites are just databases of precomputed hashes for common inputs; they're not reversing the algorithm. For the distinction, see Hashing vs Encryption.
What's Still OK — and What to Use Instead
Acceptable MD5 uses: detecting accidental file corruption, cache keys, and non-security deduplication — anywhere there's no attacker.
Replace MD5 with:
| Use case | Use instead |
|---|---|
| File integrity (security) | SHA-256 (generator) |
| Digital signatures / certificates | SHA-256 / SHA-512 (generator) |
| Password storage | bcrypt or Argon2 (bcrypt) |
Never use a fast general-purpose hash (MD5, SHA-256) directly for passwords — use a deliberately slow algorithm. See bcrypt vs Argon2.
Frequently Asked Questions
What is MD5? A hash function that converts any input into a 128-bit (32-character hex) value. It's fast and common but cryptographically broken.
Is MD5 still secure? No. Collision attacks are practical, so MD5 is unsafe for passwords, signatures, or anti-tampering. Use it only for non-security checksums.
Why is MD5 considered broken? Researchers can generate two different inputs with the same MD5 hash in seconds, defeating its collision resistance — and it's too fast to safely hash passwords.
Is MD5 encryption or hashing? Hashing. It's one-way; there's no key and nothing to decrypt. "MD5 decrypt" tools are just lookup databases.
What should I use instead of MD5? SHA-256 for integrity and signatures; bcrypt or Argon2 for passwords.
Related Reading
MD5 walked so SHA-256 could run. It's a fine teaching example and a passable corruption check — but in any context where an attacker exists, treat MD5 as deprecated.