- For integrity, use SHA-256, SHA-512, or SHA-3; avoid MD5 and SHA-1.
- For encryption: AES-256 on GCM/XTS; Serpent, Twofish, and Camellia are solid alternatives.
- Passwords: Argon2id (≥19 MiB, 2 iter.) or well-parameterized scrypt/bcrypt.
- 3DES, RIPEMD-160 and SHA-1 are deprecated: migrate to AES and SHA-2/3.
When we talk about protecting data, not everything is the same: code y to make hash They are different things with different objectives. In this guide, I'll tell you, clearly and concisely, what they are. more secure encryption and hashing algorithms, how to choose them according to the use case and what options should be avoided nowadays.
In addition to covering the classics such as AES, SHA-2 and SHA-3You'll see why. MD5, SHA-1 or 3DES They're no longer a good idea, what do you recommend? OWASP to save passwords and how to check the integrity of files correctly. And, since you asked, I'll also explain which one to use "if speed isn't important," including ciphers like Camellia, Twofish, Serpent or Kuznyechik, and hashes like SHA-256, SHA-512, Whirlpool or Streebog.
What is a hash function and what makes it secure?
A hash function transforms an input of arbitrary size into a fixed length summaryFor cryptographic use, a good hash should be deterministic, resistant to preimage, second preimage and collisions, in addition to exhibiting the famous avalanche effectA minimal change in the input produces a completely different result.
In an ideal function, summaries are distributed in a uniform and unpredictable throughout the output space, so that two similar inputs generate seemingly unrelated hashes. Although the ideal does not exist, with output sizes such as 256 bits The possible space is gigantic, which makes random collisions computationally unfeasible in current practice.
Important: a hash is unidirectionalIt cannot be "decrypted". The only theoretical way to recover the entry is through an attack by brute force or by dictionary, and that's where the reason why passwords must be treated with specific functions and parameters that make them slow to calculate for an attacker.
Hash vs encryption: they are not the same
The encryption is bidirectionalIt converts plaintext into ciphertext and, with the correct key, reverses the process. The hash is irreversible and always returns an output of fixed lengthEncryption protects the confidentialityThe hash contributes integrity and serves as a data "footprint".
Typical cases: to transmit sensitive data, it is used encryption (for example, HTTPS); to check if a file has been modified, a hashTo store passwords, neither encryption nor SHA-256 is used: other methods are employed. Password KDFs such as Argon2id, scrypt or bcrypt with cost parameters.
State of the most common hash functions
- MD5 It generates 128 bits and is now unusable for cryptographic purposes: practical collisions occur. Currently, it can only be used in non-critical applications such as detection of accidental corruptionHowever, it is advisable to migrate to modern alternatives because their weakness facilitates attacks by intentional collision.
- SHA-1 It produces 160 bits and is also compromised. Research has reduced the cost of a collision to approximately 263 operations, and in 2017 the practical collision was demonstrated SHAtteredIts use is discouraged in signatures, certificates, and any real-world security scenario.
- SHA-2 This is the family recommended by NIST for general use: SHA-256, SHA-512, in addition to truncated variants such as SHA-224, SHA-384, SHA-512/224 o SHA-512/256They maintain high collision resistance and benefit from optimizations of hardware, although SHA-256 It is usually 20–30% more slow than MD5 or SHA-1.
- SHA-3 (formerly Keccak) is not an "improved SHA-2"; it uses a sponge construction and is inherently resistant to length extension attacksIt offers SHA3-224/256/384/512 variants and SHAKE128/256 variable output extensions. Its adoption is growing, although SHA-2 remains dominant due to performance and support.
- Other hashes: RIPE MD-160 It provides less safety against collisions than modern SHA-2 and is considered obsolete for new designs; Whirlpool y Streebog (GOST R 34.11-2012) exist, but outside of specific environments their ecosystem and accelerations are limited compared to SHA-2/3.
Checking file integrity (practical examples)
Publishing and verifying a hash allows detection alterations or corruption in the download, and to create a direct download link It's also advisable to publish the official SHA-256 value. Although you'll see examples using MD5, the recommended practice today is to use the official SHA-256 value. SHA-256 or higher. In systems like Unix You can do something like this: sha256sum archivo.iso and compare with the official value.
If you need to automate a process, you can chain together commandsFor example, generating a package and its hash in one line: tar cf - carpeta | tee paquete.tar | sha256sum -The receiver would verify with sha256sum -c using the published value.
En Windows, PowerShell simplifies the calculation with: Get-FileHash .\fichero.zip -Algorithm SHA256There are also commands for Inspect file attributes and encryption in Windows. Avoid using MD5 or SHA-1 as a "seal of integrity" in security contexts, because an attacker could force collisions and deceive the process.
When to use hash and when to encrypt
Usa hash When you're looking for integrity, deduplication, or fast indexing: file verification, digital signatures (the message hash is what is signed), hash tables in data structures, or the generation of unique identifiers. They are also used in black lists and signatures of malware.
Usa encryption For confidentiality: data in transit (HTTPS, VPN), data at rest (disks, databases), backups and mobile devicesThe encryption prevents third parties from reading the content without the decryption key.
Password storage: KDFs and OWASP recommendations
For passwords, never use fast hashes general-purpose (MD5, SHA-1, SHA-256 "raw"). It uses password KDFs with configurable cost y shawl random: Argon2id, scrypt o bcryptIts goal is to make brute-force and GPU/ASIC attacks more expensive.
OWASP prioritizes Argon2id with, at a minimum, 19 MiB of memory, 2 iterations y parallelism 1If it's not available, suggest scrypt with N = 217, r = 8 yp = 1As a third option, bcrypt with a cost factor around 10–12 (or the one that gives you ~0,5 s on your hardware).
PBKDF2 It remains for compliance requirements: it's valid if you adjust sufficiently high iterations (millions), but against modern GPUs/ASICs it performs worse than scrypt or Argon2id due to its low memory cost.
Hash algorithm performance
General-purpose hashes are designed to be Quick and efficient, ideal for protocols and verifications, but the exact opposite of what we're looking for PasswordsThe actual speed depends on the input, the algorithm, the instructions of the processor and parallelism.
In high-volume or real-time scenarios, a hash that is too slow can become bottleneckThat's why we distinguish between fast functions (SHA-256/512) and slow KDFs (Argon2id, scrypt, bcrypt) that introduce a cost of CPU and memory deliberate.
Essential properties of a good hash
In addition to determinism and avalanche effect, the hash must be resistant to preimage, second preimage and collisionsAnd a minimum size of 256 bits to withstand current brute force and future margins.
Although it is sometimes simplified by saying that "two different inputs cannot have the same hash", the reality is that with finite outputs collisions thereThe important thing is that they are impractical to find. That's why MD5 and SHA-1 are considered broken and SHA-2/3 remain the safe bet.
Symmetric encryption and modes: what to use today
In symmetric encryption, the reference is BEA with keys of 128/192/256 bits. The critical thing is not just the algorithm, but the way of operation: avoid ECB, use authenticated modes such as GCM or, in storage, XTS (for example, for disks). If you work in Windows environments, also check the hardware support and the BitLocker encryption security.
Other ciphers: Camellia (ISO standard, good profile), Twofish y Serpent (AES finalists, still robust), ChaCha20-Poly1305 (extremely fast software and very secure). 3DES y DES have been left behind: 3DES is also limited and discouraged by multiple standards.
Asymmetric encryption, signatures, and key sizes
To establish keys and sign, the following are used: RSA y ECCWith RSA, use OAEP for encryption and PSS For signature; never "book" RSA. Sizes: at least RSA 3072 bits or ECC 256 bits for an approximate security level of 128 symmetric bits.
You will also see Diffie-Hellman (including its elliptic curve variant) for key exchange and DSA/ECDSA for signatures. In modern protocols, the combination TLS It uses asymmetric exchange and authenticated symmetric encryption to balance security and performance.
What to choose if speed is not important?
If you prioritize security/robustness Regarding speed, the sensible choice is to go for established and well-audited algorithms, avoiding unnecessary "cocktails." In symmetric encryption, opt for AES-256 to GCM (traffic) or XTS (disk). Camellia-256, Serpent y Twofish They are solid alternatives.
The waterfalls (AES-Twofish, Serpent-Twofish-AES, etc.) rarely add real value and complicate auditing and compliance. If your threat model requires it, it's better to strengthen keys, IV management, rotation, and authentication of data that chain ciphers on a whim.
About Kuznyechik (GOST): technically sound, but with less international scrutiny. Use it for compliance and confidentiality If required by Russian regulations; otherwise, use a stick with AES/Camellia/Serpent. In flows without AES-NI, ChaCha20-Poly1305 It's magnificent, although speed isn't your priority here.
For general hashes (not passwords): prefer SHA-512/256 o SHA-256 by ecosystem and support; SHA3-256 It's excellent if you want immunity to length extension by design. Whirlpool y Streebog They are valid, but with less adoption and acceleration.
For passwords: Argon2id with ample memory (≥ 19 MiB), 2+ iterations, and tight parallelism. If you can't, scrypt well parameterized or bcrypt at a high cost. This is much more effective than "uploading bits" to a generic SHA.
CA5350 Rule (.NET): Avoid unsafe algorithms
The .NET code analysis warns (CA5350) if it detects 3DES, SHA-1 or RIPEMD-160because they offer inferior warranties compared to modern options. Quick replacements: TripleDES → AES; SHA-1/RIPEMD-160 → SHA-256/384/512.
Canonical examples of correction: of var h = SHA1.Create(); a var h = SHA256.Create();; From RIPEMD160Managed.Create() a SHA256.Create(); and of TripleDES.Create() a new AesManaged()It also adjusts key sizes and secure modes (GCM/XTS) as needed.
Quick comparison: encryption vs. hashing
| Appearance | Encryption | Hash |
|---|---|---|
| Directionality | Bidirectional (reversible with key) | Unidirectional (irreversible) |
| Goal | Confidentiality | Integrity/Identification |
| Departure from | Variable length | Fixed length |
| Examples | AES, ChaCha20, RSA, ECC | SHA-256, SHA-512, SHA-3 |
Attacks and best practices to keep in mind
Even with robust algorithms, the implementations They matter. Avoid ECB, validate rellenos correctly (CBC is sensitive to padding oracles), uses AEAD (GCM/ChaCha20-Poly1305), generates unpredictable and different IVs/nonces per message, and always checks the authenticity before deciphering.
For digital signatures, don't sign the entire message; sign the hashWith RSA, use OAEP for encryption and PSS to sign; with ECDSA, it lovingly takes care of the randomness of the nonces. And keep libraries and configurations up to date against new vulnerabilities.
SHA-2 and SHA-3 in a little more detail
SHA-256 It operates with 32-bit words, 64 rounds, and 512-bit blocks; SHA-512 with 64-bit words, 80 rounds and a 1024-bit block, hence its truncated variants such as SHA-512/256 that provide better resistance to length extension when the output is reduced.
SHA-3 It uses a 1600-bit internal state and 24 permutation rounds; it absorbs data with XOR and outputs as many outputs as needed (SHAKE). It is very flexible and, although in generic software it may be more slow SHA-2, with its distinct design, provides cryptographic diversity.
Notes on generating randomness
For cryptography, use fonts of safe randomness of the system (for example, /dev/urandom, language CSPRNG). Avoid generators like rand() or MT19937 for keys, IVs or salts: they are not prediction resistant and can compromise your entire scheme.
To close the circle, let's focus on one practical idea: choose audited standards (AES-GCM/XTS, SHA-2/3), avoids algorithms with collision history or short keys (MD5, SHA-1, DES/3DES), and for passwords applies modern KDFs such as Argon2id o scrypt with well-calibrated parameters; if speed isn't a priority, increase the cost and memory without fear, because that's your best shield against offline attacks.
Passionate writer about the world of bytes and technology in general. I love sharing my knowledge through writing, and that's what I'll do on this blog, show you all the most interesting things about gadgets, software, hardware, tech trends, and more. My goal is to help you navigate the digital world in a simple and entertaining way.