Is MD5 Broken? Why MD5 and SHA-1 Are No Longer Safe

Introduction: Is MD5 Broken?

The short answer is yes — and so is SHA-1. Both MD5 and SHA-1 are cryptographically broken, and have been for years. They still turn up everywhere: in download pages, in old documentation, in scripts that someone wrote a decade ago and never revisited. That familiarity is exactly the problem, because a hash that looks like it is doing its job can quietly fail to protect you. If you rely on an MD5 or SHA-1 value to prove that a file is genuine and unaltered, a motivated attacker can defeat that proof. This article explains precisely what "broken" means, how these algorithms fell, where they may still legitimately appear, and what you should use instead. If you want the underlying concept first, see our explainer on what a hash is and how digital fingerprints work.

What "Broken" Actually Means: Collision Attacks

A cryptographic hash takes any input and produces a fixed-length digest. Three properties make it useful: you cannot reverse it, you cannot find an input matching a given digest, and — crucially — you cannot find two different inputs that share the same digest. That last property is collision resistance, and it is the one that fails for MD5 and SHA-1. A collision attack is when someone can deliberately construct two distinct files that hash to the identical value. Once collisions are practical, a matching hash no longer guarantees a matching file: an attacker can swap a benign document for a malicious one while the digest stays the same. "Broken," in this context, does not mean the algorithm stopped computing — it means its central security promise can be violated on demand.

A Short History of the Breaks

MD5's weaknesses were flagged by theorists in the mid-1990s, but the decisive blow came in the mid-2000s when researchers published a practical method to generate MD5 collisions. Within a few years, attackers showed real-world consequences, including forged digital certificates built on colliding inputs. Today an MD5 collision can be produced in seconds on a laptop. SHA-1 held out longer, but its margin eroded steadily: a full, public collision between two distinct files was demonstrated, proving the attack had moved from theory to reality. Follow-up research drove the cost down further and added chosen-prefix collisions, the most dangerous variety, where attackers control meaningful parts of both files. Standards bodies responded by formally deprecating both algorithms for security use.

Where MD5 and SHA-1 Still Legitimately Appear

Being broken for security does not make these algorithms useless for every purpose. They remain fast and widely implemented, so they survive in roles where no adversary is involved. A download page may publish an MD5 or SHA-1 checksum purely so you can detect accidental corruption — a truncated transfer or a flipped bit — rather than deliberate tampering. Storage and backup systems often use them as a cheap de-duplication key to spot files that are probably identical before doing a byte-level comparison. Legacy records may also store only an MD5 or SHA-1 value, so you still need to be able to compute those to match historical data. These are legitimate, low-stakes uses — but the common thread is that none of them depend on the hash resisting an attacker.

Why You Must NOT Use Them for Security or Evidence

The moment an adversary enters the picture, MD5 and SHA-1 stop being trustworthy. Do not use them to verify that a downloaded program is authentic, to back a digital signature, to store password fingerprints, or to certify that a piece of digital evidence is unaltered. In an evidence or compliance setting the danger is acute: if integrity rests on a broken hash, opposing counsel or an auditor can rightly point out that the value could, in principle, be matched by a substituted file. That undermines the very claim the hash was meant to support. Defensible integrity requires an algorithm with no known practical collision attack, so the proof cannot be questioned on this basis.

What to Use Instead

Reach for a modern, collision-resistant hash. SHA-256 and SHA-512 from the SHA-2 family are the dependable mainstream choices and have no known practical collision attacks. Where you also want very high speed on modern hardware, BLAKE3 is an excellent current option. A strong practice is to record several modern algorithms side by side, so an integrity proof does not hinge on any single function and a verifier can match against whichever value was originally stored. For a deeper comparison of the trade-offs, read our guide on MD5 vs SHA-256: which hash algorithm should you use. And when you need to actually compute these values, the free, offline e-Dex hash tool produces MD5, SHA-1, SHA-256, SHA-512 and BLAKE3 in one pass — keeping the legacy values for compatibility while giving you the modern ones that matter.

Frequently Asked Questions

Is MD5 broken?
Yes. MD5 is cryptographically broken. Researchers demonstrated practical collision attacks years ago, and today two completely different files can be crafted to share the same MD5 digest in seconds on ordinary hardware. That means an MD5 value can no longer prove that a file is unique or unaltered against a motivated adversary, so MD5 must not be used for security, signatures, or digital evidence.

Is SHA-1 also broken?
Yes. SHA-1 is broken as well. A practical collision — two distinct inputs producing the same SHA-1 digest — was publicly demonstrated, and later work made such attacks cheaper and even allowed chosen-prefix collisions. SHA-1 has been formally deprecated for security use, so it should be treated the same way as MD5: acceptable only for legacy compatibility, never for new security or evidence work.

What is a hash collision?
A hash collision is when two different inputs produce the same hash digest. A secure hash function should make finding any collision computationally infeasible. When collisions can be produced on demand, an attacker can substitute one file for another while keeping the hash identical, which destroys the guarantee that a matching hash means an unaltered file. Demonstrated collisions are exactly why MD5 and SHA-1 are considered broken.

Is it ever safe to use MD5 or SHA-1?
Only for non-security purposes where no adversary is involved, such as a quick checksum to detect accidental corruption during a download, or as a fast key for de-duplicating files. Even then it is safer to prefer a modern algorithm. For anything involving security, authentication, digital signatures, or evidence integrity, MD5 and SHA-1 must not be relied upon.

What hash algorithm should I use instead?
Use a modern, collision-resistant hash such as SHA-256 or SHA-512 from the SHA-2 family, or a current high-speed algorithm like BLAKE3. These have no known practical collision attacks and are the right choice for file integrity, signatures, and digital evidence. Recording several modern algorithms side by side makes an integrity proof even stronger.

Conclusion

Is MD5 broken? Yes — and SHA-1 with it. Both can still flag accidental corruption or help de-duplicate files, but neither can be trusted the instant an attacker is in the room. For security, signatures, and digital evidence, move to SHA-256, SHA-512 or BLAKE3, and keep the legacy values only for matching old records. You can compute all of them in seconds, fully offline, with the free e-Dex hash tool — so your integrity proofs rest on algorithms that are still standing.