← Back to glossary

Hashing Algorithms Deep Dive

algorithms PHP 7.2+ Intermediate

Also Known As

xxHash MurmurHash BLAKE3 CRC32 hash function comparison

TL;DR

Comparing hash functions for different use cases — MD5/SHA-1 (broken, legacy), SHA-256/BLAKE3 (data integrity), bcrypt/Argon2 (passwords), xxHash/MurmurHash (non-cryptographic, fast).

Explanation

Hash functions serve different purposes: Cryptographic hashes (SHA-256, SHA-3, BLAKE3) — collision and pre-image resistant, for data integrity and HMACs. Password hashing (bcrypt, Argon2id, scrypt) — deliberately slow, memory-hard, salted. Non-cryptographic hashes (xxHash, MurmurHash, CRC32) — extremely fast, not collision-resistant, for hash tables and checksums where security is not required. MD5 and SHA-1 are broken (collision attacks demonstrated) — never use for security. PHP: hash() for cryptographic, password_hash() for passwords, crc32() for non-security checksums.

Common Misconception

✗ A faster hash is always better — for passwords, slower is better (bcrypt cost factor); for HMACs, speed with security is the goal (SHA-256); for hash tables, pure speed wins (xxHash).

Why It Matters

Using SHA-256 for passwords (fast algorithm) is wrong; using bcrypt for a hash table (slow) is wrong — matching the hash function to the use case is the critical decision.

Common Mistakes

SHA-256 or MD5 for passwords — fast algorithms, GPU-crackable at billions per second.
bcrypt for non-security checksums — 400ms per hash where 1 microsecond is sufficient.
MD5 for file integrity — collision attacks allow two different files with the same MD5.
CRC32 for security applications — CRC32 is not cryptographic and easily forged.

Code Examples

✗ Vulnerable

// Wrong hash for the job:
$passwordHash = hash('sha256', $password);  // GPU-crackable in seconds
$checksum     = password_hash($data, PASSWORD_BCRYPT); // 400ms for a file checksum!
$fileInteg    = md5_file($upload);          // Collision-vulnerable integrity check

✓ Fixed

// Right hash for each use case:

// Passwords — slow, memory-hard:
$passwordHash = password_hash($password, PASSWORD_ARGON2ID);

// File integrity — cryptographic, collision-resistant:
$checksum = hash_file('sha256', $uploadPath);

// HMAC — authenticated integrity:
$mac = hash_hmac('sha256', $message, $secretKey);

// Cache key (non-security) — fast:
$cacheKey = 'page:' . crc32($url . $queryString); // Fast, not security

// Constant-time comparison for all security-sensitive comparisons:
if (!hash_equals($expected, $computed)) throw new SecurityException();

References

↗ https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html

Tags

algorithms cryptography php

Added 16 Mar 2026

Edited 5 Apr 2026

Curated in Warsaw under one editorial standard. 1,444 terms, single voice. About this reference →

Rate this term

No ratings yet

🤖 AI Guestbook educational data only

| |

Last 30 days

Agents 0

No pings yet today

Amazonbot 7 Perplexity 4 Ahrefs 3 Unknown AI 2 Majestic 1 Google 1 SEMrush 1

Also referenced

Argon2 Password Hashing 45 Block Cipher Modes 34 bcrypt 30 Cryptographic Hash Functions 28

How they use it

crawler 19

Related categories

security 4k algorithms 1.6k cryptography 408

⚡ DEV INTEL Tools & Severity

🟠 High ⚙ Fix effort: Low

⚡ Quick Fix

MD5 and SHA1 are cryptographically broken — use SHA-256 for checksums, SHA-3 or BLAKE3 for new systems, Argon2id for passwords, and HMAC-SHA256 for message authentication

📦 Applies To

PHP 7.2+ any web cli queue-worker

🔗 Prerequisites

Cryptographic Hash Functions cryptographic hash HMAC (Hash-based Message Authentication Code)

🔍 Detection Hints

md5() or sha1() for security: integrity checks token generation signatures; hash without salt for password

Auto-detectable: ✓ Yes semgrep psalm phpstan

⚠ Related Problems

cryptographic hash HMAC (Hash-based Message Authentication Code) Weak Password Hash

🤖 AI Agent

Confidence: High False Positives: Low ✓ Auto-fixable Fix: Low Context: Line

CWE-327 CWE-328