Status DataClose notification

What Is a Hash Function?

TL;DR: A hash function is an algorithm that takes an input of any size and produces a fixed-length output, called a hash, digest, or checksum, that uniquely represents that input. The same input always produces the same output, and even a tiny change to the input produces a completely different output. Hash functions underpin password storage, digital signatures, blockchain integrity, and file verification, making them one of the most widely used primitives in computing and cryptography.

How Does a Hash Function Work?

A hash function takes data like a password, a file, a transaction, or a document and runs it through a mathematical process that maps it to a fixed-length string. The key properties that define how this works:

Deterministic. The same input always produces the same hash output. Hash the word "password" with SHA-256, and you'll get the same 64-character string every time, on every machine, anywhere in the world.

Fixed output length. Regardless of whether the input is a single character or an entire database, the output is always the same length. SHA-256 always produces a 256-bit (64 hex characters) output. SHA-512 always produces 512 bits.

Avalanche effect. A tiny change to the input produces a completely different output — not a slightly different one. Changing a single character in a document doesn't shift the hash by one digit; it produces an entirely new, unrelated hash.

One-way. Hash functions are designed to be computationally infeasible to reverse. Given a hash output, you cannot reconstruct the original input by working backwards through the function. This is what makes them useful for storing passwords. The system can verify a password by hashing it and comparing the result, without ever storing the actual password.

Collision-resistant. Two different inputs should not produce the same hash output. When they do, it's called a collision, and it breaks the reliability of the function for security purposes.

What does a hash function look like?

Here's SHA-256 applied to two nearly identical inputs:

Input:  "HackenProof"
SHA-256: 3b4c2a1f9e8d7c6b5a4f3e2d1c0b9a8f7e6d5c4b3a2f1e0d9c8b7a6f5e4d3c2b

Input:  "hackenproof"  (lowercase 'h')
SHA-256: 9f8e7d6c5b4a3f2e1d0c9b8a7f6e5d4c3b2a1f0e9d8c7b6a5f4e3d2c1b0a9f8e

Two inputs that differ by only one character, capitalization, produce completely unrelated outputs. This is the avalanche effect in practice.

(Note: the hashes above are illustrative examples of format — use actual computed SHA-256 values when publishing.)

What Is a Cryptographic Hash Function?

A cryptographic hash function is a hash function specifically designed to meet the security requirements needed for cryptographic applications. All cryptographic hash functions are hash functions, but not all hash functions are cryptographic. General-purpose hash functions used in data structures (like hash tables) prioritize speed over security properties.

The additional requirements for a cryptographic hash function:

  • Pre-image resistance. Given a hash output, it must be computationally infeasible to find any input that produces it — not just the original one.
  • Second pre-image resistance. Given an input and its hash, it must be computationally infeasible to find a different input that produces the same hash.
  • Collision resistance. It must be computationally infeasible to find any two different inputs that produce the same hash output.

Common cryptographic hash functions:

  • SHA-256 — Part of the SHA-2 family, widely used in TLS/SSL, digital certificates, and Bitcoin's proof-of-work mechanism. Currently considered secure.
  • SHA-3 — A newer standard using a different internal structure (Keccak) as an alternative to SHA-2.
  • bcrypt / scrypt / Argon2 — Purpose-built for password hashing; deliberately slow to resist brute-force attacks.
  • MD5 and SHA-1 — Historically significant but now broken for cryptographic purposes due to discovered collision vulnerabilities. Should not be used in new security applications.

Hash Functions in Cybersecurity

Hash functions are foundational to several core cybersecurity mechanisms:

Password storage. Systems should never store plaintext passwords. Instead, they hash the password at registration and store only the hash. At login, the entered password is hashed and compared against the stored hash — the original password is never reconstructed. Modern password hashing uses slow algorithms like bcrypt or Argon2, adding computational cost that makes large-scale brute-force attacks impractical even if the hash database is stolen.

Digital signatures. Rather than signing an entire document (which would be computationally expensive), a signing algorithm hashes the document and signs the hash. The recipient hashes their copy and verifies the signatures match — confirming both authenticity (who signed it) and integrity (it hasn't been altered).

Blockchain integrity. Each block in a blockchain contains the hash of the previous block, creating a chain where any alteration to historical data would invalidate every subsequent hash. This is the mechanism that makes blockchain records tamper-evident — the cryptographic hash function is what makes the ledger's history verifiable.

File and message integrity verification. Software publishers provide hash values alongside downloads so users can verify that a file hasn't been corrupted or tampered with in transit. If the computed hash of a downloaded file matches the publisher's stated hash, the file is intact.

Certificate transparency and digital certificates. TLS/SSL certificates use hash functions as part of the certificate signing process, ensuring that the certificate content hasn't been altered since it was signed by a Certificate Authority.

Hash-based vulnerability detection. Security tools use file hashes as indicators of compromise (IOCs) — known malware files are cataloged by their hash values, allowing endpoint security software to identify exact matches without inspecting file content directly.

Conclusion

Hash functions are one of the most quietly consequential technologies in security, present in password databases, blockchain ledgers, digital certificates, and file verification workflows, most of which operate without users ever being aware of them. Their security properties are well understood, which also means their failure modes are well understood: broken hash functions like MD5 and SHA-1 have been retired for cryptographic use because collision attacks were demonstrated against them. Choosing the right hash function for the right purpose and staying current with which functions remain secure is a fundamental part of building cryptographically sound systems.