What Is a Hash? How Hashing Works Explained Simply (2026)
Learn what a hash function is, how hashing works, why it's used for passwords and file verification, and the difference between hashing and encryption.
When you create a password on a website, it's not stored as plain text — it's hashed. When you download a file, you can verify it hasn't been tampered with — using a hash. Hashing is one of the most elegant ideas in computer science, and it's quietly everywhere.
What Is a Hash?
A hash function takes any input — a word, a file, an entire book — and produces a fixed-length output called the hash or digest. The output is always the same length, no matter how big or small the input.
- Deterministic — the same input always produces the same hash.
- One-way — there is no mathematical method to reverse the hash back to the original input.
- Collision-resistant — different inputs should produce different hashes.
Quick example: 'hello' hashed with SHA-256 produces a 64-character string. Capitalise the H to 'Hello' and the hash changes completely. This is the avalanche effect — even a one-bit change in input produces a totally different output.
How Hashing Works (Step by Step)
Input data is fed into a hash algorithm, which performs a long sequence of bitwise operations and modular arithmetic over every bit of the input. The result is a fixed-length digest. Identical inputs produce identical outputs; differing inputs produce wildly different outputs.
Hashing vs Encryption — The Key Difference
- Encryption is two-way — data can be decrypted with the correct key.
- Hashing is one-way — there is no decryption key. The original input cannot be recovered from the hash.
- Use encryption to protect data in transit and at rest. Use hashing for password storage, file verification and digital signatures.
Common Hash Algorithms
- MD5 — 128-bit, fast, but considered broken for security due to collision vulnerabilities. Still useful for non-security file checksums.
- SHA-1 — 160-bit, deprecated for security since 2017.
- SHA-256 — current standard. Used in Bitcoin, SSL certificates and digital signatures. No confirmed collisions to date.
- bcrypt / Argon2 — designed specifically for password hashing. Deliberately slow to make brute-forcing painful, with built-in salting.
Password Hashing — How It Actually Works
When you sign up, the website hashes your password and stores only the hash, never the password itself. When you log in, it hashes what you typed and compares it to the stored hash. If they match, you're in. The site never needs to know your actual password.
'Salting' adds a random value to each password before hashing. That way, even if two users pick the same password, their stored hashes are different — and pre-computed rainbow tables become useless.
Generate an MD5, SHA-1 or SHA-256 hash for any text instantly.
Open Hash GeneratorCheck whether your password is strong enough before you trust it anywhere.
Open Password CheckerFile Verification with Hashes (Checksums)
Software download pages often list a SHA-256 checksum next to the file. You download it, hash it locally, and compare. Match means the file is unmodified and authentic. Mismatch means the file is corrupted, altered, or potentially malicious.
What Are Rainbow Table Attacks?
Attackers pre-compute hashes for millions of common passwords and store them in a giant lookup table. If a database is breached, they instantly match stolen hashes against the table. Salting defeats this — every salted hash is unique even when the underlying password is identical.
Want to understand how encryption complements hashing?
Read: What Is Encryption?Frequently Asked Questions
Can a hash be reversed?
No. Cryptographic hash functions are one-way by design. The only way to 'crack' a hash is to guess inputs and compare — which is why strong passwords and salting matter so much.
What's the difference between MD5 and SHA-256?
MD5 produces a 128-bit hash and is no longer secure due to collision vulnerabilities. SHA-256 produces a 256-bit hash and is the current standard, used in SSL certificates, digital signatures and Bitcoin.
How are passwords stored using hashing?
When you set a password, the site hashes it (typically with bcrypt or Argon2) and stores only the hash. On login, the same hash is recalculated and compared. The plaintext password is never stored.
What is a hash collision?
A collision happens when two different inputs produce the same hash output. It's mathematically possible because inputs are infinite but outputs are fixed length. MD5 and SHA-1 have known collisions; SHA-256 has none confirmed.
What is a checksum?
A checksum is a hash used to verify file integrity. Download pages publish SHA-256 checksums so you can confirm the file you downloaded matches the original.