Hash function security summary

This article summarizes publicly known attacks against cryptographic hash functions. Note that not all entries may be up to date. For a summary of other hash function parameters, see comparison of cryptographic hash functions.

Table color key
{{legend|#f9f9f9|No attack successfully demonstrated — attack only breaks a reduced version of the hash or requires more work than the claimed security level of the hash}} {{legend|#ffff90|Attack demonstrated in theory — attack breaks all rounds and has lower complexity than security claim}} {{legend|#ff9090|Attack demonstrated in practice — complexity is low enough to be actually used}}

Length extension

 * Vulnerable: MD5, SHA1, SHA256, SHA512
 * Not vulnerable: SHA384, SHA-3, BLAKE2

Attacks on hashed passwords
Hashes described here are designed for fast computation and have roughly similar speeds. Because most users typically choose short passwords formed in predictable ways, passwords can often be recovered from their hashed value if a fast hash is used. Searches on the order of 100 billion tests per second are possible with high-end graphics processors. Special hashes called key derivation functions have been created to slow brute force searches. These include pbkdf2, bcrypt, scrypt, argon2, and balloon.