Exploring Secure Hash Functions: A Guide for Developers and Security Enthusiasts
Pranil Shrestha
Introduction to Hash Functions
As a backend developer, you probably use hashes all the time—maybe without giving them much thought. They’re usually used in things like password storage, file integrity checks, or generating cache keys. But not all hash functions are the same, and picking the wrong one can create a serious security risks.
In this post, we’ll go beyond the usual suspects like MD5 and SHA-1 and take a practical, security-focused look at hash functions. We’ll break down what hashing really is, highlight common mistakes developers make, compare popular algorithms, and even crack some hashes to get inside the mind of an attacker.
What hash functions actually do?
At their core a hash function is are mathmatical algorithms that take input data and return a fixed sized string of characters, which is usually a hexadecimal value, you can think of it like a digial fingerprint — unique to the input and irreversible by nature.
Key properties:
Deterministic: Same input always produces the same output.
Irreversible: You cannot derive the original input from the hash.
Fixed Output: Input of any length results in a fixed-sized hash.
Collision-resistant: Two different input should not product same hash (though some weak hash functions fail here).
Caution: Hashing is NOT encryption. Encryption are reversible by nature using a key while hashing is not.
Typical Places Hashes Are Found In:
Hashing are used in many places, often with or without a developer realizing it:
Password Storage
import bcrypt
pasword = b"mysecretpassword123"
hashed = bcrypt.hashpw(password, bcrypt.gensalt())
Cache Keys
const key = crypto.createHash('sha256').update(JSON.stringify(query)).digest('hex');
File Integrity Checks
sha256sum myfile.zip
API Authentication (HMACs)
const crypto = require('crypto');
const hmac = crypto.createHmac('sha256', secret).update(data).digest('hex');
Blockchain
Used for transaction verification, block headers and so on.
Common Mistakes While Using Hash Functions:
Many developers misuse or misunderstand the use of hash functions. Below are some real-word issues:
Encrypting a password with MD5 is not secure as they are prone to hash collisions and rainbow table attacks.
No salting in your hashes which makes it equal to rainbow table fodders.
Using fast hashes (like SHA-256) for passwords which makes brute forcing it easier.
Logging hashes as plain text, which makes them vulnerable.
What is hash collision?
→ A hash collision occurs when two different input to a hash functions produce the same hash value, or output.
→ Typically in weaker hash algorithms
→ In security it is a great risk beacause if an attacker can find two different inputs with same hash output, then it can potentially compromise a system that relies on this type of hash function.
What are rainbow table attacks?
→ Rainbow table attacks are similar to dictionary attacks, but they use a rainbow table instead of word list. Although similar to dictionary attack they need less computing power.
→ Rainbow table are pre-computed lists used to crack hashes
Hash Functions Comparison
| Hash | Secure? | Use Case | Speed | Notes |
| MD5 | No | Legacy only | Fast | Broken, avoid at all costs |
| SHA-1 | No | Git internals | Fast | Collision-prone |
| SHA-256 | Yes | Checksums, HMAC | Faster | Industry standard |
| SHA-3 | Yes | Modern secure apps | Not too fast Not too Slow | Highly secure |
| bcrypt | Yes | Passwords | Slow | Adds salt, adaptive |
| scrypt | Yes | Key derivation | Slow | Memory-hard |
| Argon2 | Better | Passwords (best pick) | Slow | PHC winner, best practice |
| Blake3 | Yes | File integrity | Fastest | Modern alternative to SHA-3 |
Think Like An Attacker: Cracking Weak Hashes
Let’s demonstrate how fast some hashes can be cracked or broken.
Example MD5:
echo -n "Password@123" | md5sum
d00f5d5217896fb7fd601412cb890830 # <- this is the output
Using crackstation to crack the hash:
Reasons: No Salt, Weak and Fast algorithm and Public rainbow tables available
Tools that attacker use:
hashcat,john the ripper,crackstationand so on
Chooseing The Right Hash For The Job
| Task | Recommended Hash |
| Password storage | Argon2 > bcrypt > scrypt |
| File integrity | SHA-256 / Blake3 |
| API request signing | HMAC with SHA-256 |
| Key derivation | scrypt, Argon2, PBKDF2 |
| Blockchain applications | SHA-256 or SHA-3 |
Golden Rule: If its fast then its bad for passwords.
Bonus Tools And Playgrounds
Play with hash functions using these tools:
CyberChef: Web-based hash and encoding toolkit
CrackStation: Online hash cracker
bcrypt-cli,argon2-cli: Hash passwords in your terminalBuilt-in libraries:
Node.js:
crypto,bcryptjs,argon2Python:
hashlib,bcrypt,argon2-cffi
Final Thoughts
Hashing is a tool; When used well, it powers secure applciations. When misused, it opens door to attackers. If you want to develop a secure application you should try to understand the tools that you use.
Subscribe to my newsletter
Read articles from Pranil Shrestha directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by