What MD5 produces
MD5 takes any text or byte stream and produces a fixed 128-bit value, displayed as 32 hexadecimal characters. The same input always yields the same digest, and a tiny change in the input produces a completely different output — a property known as the avalanche effect. That determinism makes MD5 convenient for checksums, deduplication, and cache keys, but its cryptographic weaknesses mean it is unsuitable for any security-sensitive purpose.
How MD5 works
MD5 processes the message in 512-bit blocks. Before processing, the input is padded so its bit-length is congruent to 448 modulo 512, then the original 64-bit length is appended. Each 512-bit block updates four 32-bit state words — conventionally called A, B, C, and D — through 64 operations grouped into four rounds of 16 steps each:
- Round 1 uses the auxiliary function
F(B,C,D) = (B AND C) OR (NOT B AND D) - Round 2 uses
G(B,C,D) = (B AND D) OR (C AND NOT D) - Round 3 uses
H(B,C,D) = B XOR C XOR D - Round 4 uses
I(B,C,D) = C XOR (B OR NOT D)
Each step also adds a per-step constant derived from sin(i) and applies a left-rotate by a specified amount. The final digest is the concatenation of A, B, C, D output in little-endian byte order. This implementation runs entirely in JavaScript, so it matches any standard MD5 library byte-for-byte.
What MD5 is still good for
MD5 remains entirely appropriate for non-adversarial uses:
- Deduplication — comparing MD5s of files to find duplicates where an attacker is not involved
- Cache keys — hashing a URL or query string to look up a cached response
- Checksums against accidental corruption — detecting a corrupted download where no adversary is trying to forge the file (though SHA-256 is still preferred here)
- Legacy integrations — systems that store or transmit MD5 hashes for historic compatibility
What MD5 must never be used for
- Passwords — use bcrypt, scrypt, or Argon2, all of which are specifically designed to be slow and salted
- Digital signatures — collisions can be crafted, allowing two different documents to share the same MD5
- Certificate fingerprints — SHA-256 or SHA-384 only
- Any context where an attacker controls the input — this is when the collision vulnerability becomes dangerous
MD5 in legacy systems and databases
Despite its broken cryptographic status, MD5 is still widely encountered in existing systems. If you are auditing a user database and find 32-character hex strings in the password column, those are almost certainly MD5 hashes — with no salt and no stretching. The remediation path is to prompt users to reset their passwords, hashing the new ones with bcrypt or Argon2, and to maintain the old MD5 hash only for the transition period.
MD5 is also common as a file deduplication key in content management systems and object stores. In this usage, an attacker forging a collision is not a concern — you are comparing files to eliminate redundant copies, not verifying provenance. The same logic applies to cache keys built from request parameters: MD5 distributes uniformly and is fast, making it practical for this purpose even in 2024.
Reference values
- Empty string:
d41d8cd98f00b204e9800998ecf8427e abc:900150983cd24fb0d6963f7d28e17f72hello world:5eb63bbbe01eeed093cb22bb8f5acdc3
Use these to confirm that any MD5 tool is computing the correct result. Everything here runs in your browser; nothing is uploaded.