Por que SHA-256 é mais seguro que MD5

Published: 2026-05-20 6 min read Author: CalcSI team

Hash algorithms are the quiet workhorse behind file integrity, password storage, digital signatures, and blockchains. But not all hash functions are equally secure: MD5, ubiquitous for decades, is now considered broken. This article explains why — and when SHA-256 (or the even stronger SHA-512) is the right choice.

What is a hash function?

A cryptographic hash function maps an input of any length (file, text, data stream) to a fixed-length output — for example 128 bits for MD5 or 256 bits for SHA-256. The result is called a hash or digest. The function is deterministic (the same input always yields the same hash) but practically irreversible.

Three properties are critical here: preimage resistance (from a hash, you should not be able to reconstruct the input), second-preimage resistance (given an input, you should not be able to find a second input with the same hash), and collision resistance (it should be practically impossible to find any pair of inputs with the same hash). Once one of these properties fails, the algorithm is considered compromised for security applications.

A short history: MD5, SHA-1, SHA-2

MD5 was designed by Ron Rivest in 1991, with a 128-bit output. At the time it was an improvement over MD4 and remained the standard for file checksums and password hashes for years. SHA-1, standardized by the NSA in 1995, delivered 160 bits and seemed safe for a long time. Both belong to the same family of Merkle-Damgård constructions with Boolean operations per round.

The SHA-2 family was published by NIST in 2001: SHA-224, SHA-256, SHA-384, and SHA-512. They are structurally related to SHA-1 but use significantly more rounds, larger internal states, and longer outputs. SHA-3 (Keccak, 2015) is based on a completely different sponge construction and is intended as a reserve in case SHA-2 ever becomes structurally vulnerable.

How MD5 and SHA-1 fell

Already in 2004, Wang, Feng, Lai, and Yu demonstrated the first practical collision for MD5. Two different inputs produced the same hash — in minutes on standard hardware. In 2008, a research team led by Sotirov and Stevens showed that this could be used to issue forged SSL certificates. Since then, MD5 has been off-limits for any security application.

SHA-1 followed in 2017 with the famous SHAttered attack by Google and CWI Amsterdam: two PDF files with identical SHA-1 hashes but different content. The attack cost roughly 110 GPU-years — expensive, but affordable for nation-states and large organizations. Browsers, git hosts, and CAs have been actively phasing out SHA-1 since. SHA-256 has so far seen no comparable attack; classical brute-force collisions would be in the 2^128-operation range — astronomical.

What SHA-256 does better

SHA-256 produces a 256-bit output. This puts its theoretical collision resistance, by the birthday paradox, at 2^128 — a number far beyond any conceivable compute power today. In addition, SHA-2 has twice as many rounds as SHA-1 (64 vs. 80, but with more complex mixing) and a larger internal state. Even a drastic reduction in security from future cryptanalysis would still leave plenty of margin.

In practice, SHA-256 is very fast on modern CPUs — Intel and AMD have offered dedicated instruction-set extensions (SHA-NI) for years. ARM has equivalent crypto extensions. For high throughput (e.g. file hashing in backup tools), SHA-256 often isn't the bottleneck anymore. If you need more margin or want to take full advantage of native 64-bit architectures, go for SHA-512.

Which algorithm when?

A pragmatic rule of thumb:

  • MD5: only for non-security-critical checksums (e.g. fast deduplication, cache keys, verification against accidental bit errors). Never for signatures, certificates, or password hashes.
  • SHA-1: avoid. Tolerated in legacy systems (e.g. Git commit IDs), but in any new application replace it with SHA-256.
  • SHA-256: today's de-facto standard. For TLS certificates, JWT signatures (HS256/RS256), digital signatures, file integrity, blockchain (Bitcoin), and anywhere collision resistance matters.
  • SHA-512: same security philosophy, double the hash length. Recommended when 256 bits of margin isn't enough, or when 64-bit CPUs compute it faster than SHA-256.

Frequently asked questions

Is SHA-256 quantum-safe?

Symmetric primitives like hash functions are much more robust against quantum computers than asymmetric schemes (RSA, ECDSA). Grover's algorithm effectively halves the bit security — SHA-256 would still have about 128 bits of security against an ideal quantum computer, which is practically sufficient. For more margin, use SHA-512 or SHA-3.

Do I need SHA-256 for passwords, or something else?

Neither MD5 nor SHA-256 alone is suitable for password storage. They're too fast — attackers can try billions of hashes per second. For passwords, use intentionally slow algorithms like bcrypt, scrypt, or Argon2, which apply a salt and a configurable work factor.

Is SHA-3 better than SHA-256?

Not necessarily. SHA-3 is structurally different and therefore a useful diversification — if SHA-2 is ever theoretically attacked, SHA-3 remains as a backup. In practice, however, SHA-256 is currently more broadly supported, faster in many hardware implementations, and the right choice for most applications.

Disclaimer: This article provides general background information and does not constitute specific security advice. For production systems with strict security requirements, you should follow current guidance from NIST, your national security agency, or qualified cryptography consultants.

Related tools