Common Hash Mistakes

Hash-related bugs often come from comparing the right idea with the wrong bytes or algorithm.

Storing passwords with plain MD5 or SHA-256

Fast hashes without salt and key stretching are vulnerable to rainbow tables and offline guessing. Password storage needs dedicated password hashing functions and unique salts per user.

Hashing the wrong representation

These are not the same operation:

• UTF-8 text Hello
• The ASCII bytes after trimming whitespace
• A JSON string with different key order
• A file that includes a trailing newline

Always hash the exact byte sequence your system uses.

Treating a hash as a secret

If an attacker knows the input space is small—common passwords, sequential IDs, short config keys—they can brute-force the hash offline. Hashes protect integrity comparisons, not confidentiality of predictable inputs.

Comparing algorithms incorrectly

An MD5 digest will never match a SHA-256 digest of the same input because the algorithms differ. Likewise, uppercase and lowercase hex are usually equivalent, but Base64 and hex representations are not interchangeable without conversion.

Using weak hashes for security decisions

MD5 checksums are fine for spotting accidental file corruption. They are a poor choice for code signing, certificate validation, or tamper evidence against an active attacker.