MD5 — fast, ubiquitous, broken
MD5 (Message-Digest Algorithm 5) was designed by Ron Rivest in 1991 and specified in RFC 1321. It maps any input to a fixed 128-bit digest — 32 hexadecimal characters — and it's deterministic, one-way, and very fast. For years it was everywhere: download checksums, password databases, certificate signatures.
Then its collision resistance fell apart. Researchers demonstrated practical collisions in 2004, and by 2008 a team used MD5 collisions to forge a certificate authority signature. Today two different files can be made to share an MD5 digest in seconds, which means it can't be trusted to fingerprint anything an attacker controls.
It survives because it's quick and produces a short, convenient hash. For checksums, cache keys, and deduplication — where nobody's trying to cheat — MD5 is still a reasonable tool. For anything security-bearing, use SHA-256. Everything here runs locally in your browser.
When MD5 is (and isn't) OK
Fast fingerprints where no one is trying to forge a match.
Anything an attacker could exploit by crafting a collision.
MD5 vs SHA-1 vs SHA-256
| Algorithm | Digest size | Security status |
|---|---|---|
| MD5 | 128 bits | Broken |
| SHA-1 | 160 bits | Broken |
| SHA-256 | 256 bits | Secure |
MD5 is the fastest and shortest of the three — and the easiest to collide. Use SHA-256 for anything security-bearing.
Where it still shows up
Verifying a download
Match a file against the MD5 sum a mirror published to confirm it wasn't corrupted in transit.
Building a cache key
Hash a request URL or payload into a short, fixed key for a cache or CDN entry.
Deduplicating records
Fingerprint rows or blobs so a pipeline can skip ones it has already seen.
Frequently asked questions
No. MD5 has been collision-broken since 2004, and collisions can now be generated in seconds on a laptop. It was even used to forge a rogue CA certificate in 2008. Never use it for signatures, certificates, integrity against an attacker, or password hashing — reach for SHA-256 (or bcrypt/Argon2 for passwords).
Speed-sensitive, non-adversarial uses: detecting accidental file corruption, generating cache keys or ETags, deduplicating data, and sharding. In all of these you're guarding against random change, not a malicious party, so MD5's weakness doesn't matter and its speed helps.
MD5 splits the input into 512-bit blocks and processes them through 64 rounds across four auxiliary function stages (F, G, H, I). Each round combines the four state registers (A, B, C, D) using non-linear logical functions, addition modulo 2^32, and constant coefficients derived from the sine function.
MD5 produces a 128-bit digest, shown as 32 hexadecimal characters — shorter than SHA-1 (40) and SHA-256 (64). The shorter length is part of why collisions are so much easier to find.
Not by inverting it — MD5 is one-way. But because it's fast and unsalted, short or common inputs are easily reversed with rainbow tables and lookup sites. That's another reason it's unfit for passwords.
No. The digest is computed locally in your browser, so the input never leaves the page.