Quiz Entry - updated: 2026.07.14
Compare MD5, SHA-1, SHA-2, and SHA-3 — which are still considered secure, and which should never be used for passwords?
MD5 and SHA-1 are broken — never use for security. SHA-2 (SHA-256) and SHA-3 are current standards, but for passwords use bcrypt/Argon2, not raw SHA.
The lineup:
| Hash | Output size | Status | Use for passwords? |
|---|---|---|---|
| MD5 | 128 bit | Broken (collisions in 2004) | NO |
| SHA-1 | 160 bit | Broken (collisions in 2017) | NO |
| RIPEMD-160 | 160 bit | Stronger than SHA-1, but old | Avoid |
| SHA-2 | 224-512 bit | Current standard | OK for general use |
| SHA-3 | 224-512 bit | Newest, different math basis | OK |
Why MD5/SHA-1 are still used:
- File checksums where collision attacks aren't relevant
- Legacy systems too expensive to migrate
- Not all uses of a "broken" hash are exploitable — git still uses SHA-1 for commit IDs, and the attack model doesn't fit
The password-specific issue:
Even SHA-256 is too fast for password hashing — a GPU can compute billions per second. For passwords, use:
- bcrypt — deliberately slow, salted by design
- Argon2 — modern winner of password-hashing competition
- scrypt / PBKDF2 — also acceptable
These are intentionally slow (~100ms per hash) so brute force becomes impractical.
Tip: SHAttered (2017) showed the first practical SHA-1 collision — Google generated two PDF files with the same SHA-1 hash. Read: https://shattered.io/.
Go deeper:
Key derivation function / key stretching (Wikipedia) — why deliberately-slow KDFs (bcrypt, scrypt, Argon2, PBKDF2) beat raw SHA for password storage.