A hash function is a one-way mathematical function that converts a string of bytes into a fixed size representation, known as its hash value.
Modern hash functions optimized for securing passwords are deliberaly designed to be slow and memory-hard (consume a lot of memory) to make them harder to brute-force. A memory-hard function limits the effectiveness of specialized cracking hardware such as ASICs or GPUs.
| Algorithm | Size (bits) | Features | Applications |
|---|---|---|---|
| MD5 | 128 | * fast to compute * vulnerable to collision attacks and rainbow tables |
non-security critical applications, legacy systems |
| SHA 1 | 160 | * stronger than MD5 | collisions possible, deprecated in favor of SHA-2 and SHA-3 |
| SHA 2 | 224 256 384 512 |
* considered secure * no practical attack methods yet |
widely used in SSL/TLS certs and digital signatures |
| SHA 3 | 224 256 384 512 |
* different cryptographic approach from SHA-2 * slower than SHA-2 * quantum resistant, potentially more secure than SHA-2 |
emerging applications with specific security requirements |
| PBKDF2 (Password-Based Key Derivation Function) | 1 bits | * uses a salt and multiple iterations * protects against brute force and rainbow tables * less memory-hard than bcrypt and Argon2 |
password protection in older systems with limited memory |
| bcrypt | 1 bits | * adaptive hash function with built in salt * adjusts computational cost as hardware improves to deliberately slow down computation * less memory-hard than Argon2 |
password protection in general web applications |
| Argon2 | 1 bits | * modern highly secure hash function * configurable memory, time and parallelism cost |
high security requirements |