Hash function security summary

This article summarizes publicly known attacks against cryptographic hash functions. Note that not all entries may be up to date. For a summary of other hash function parameters, see comparison of cryptographic hash functions.

Common hash functions

Collision resistance

Hash function	Security claim	Best attack	Publish date	Comment
MD5	2⁶⁴	2¹⁸ time	2013-03-25	This attack takes seconds on a regular PC. Two-block collisions in 2¹⁸, single-block collisions in 2⁴¹.
SHA-1	2⁸⁰	2^61.2	2020-01-08	Paper by Gaëtan Leurent and Thomas Peyrin
SHA256	2¹²⁸	31 of 64 rounds	2013-05-28	Two-block collision.
SHA512	2²⁵⁶	24 of 80 rounds	2008-11-25	Paper.
SHA-3	Up to 2⁵¹²	6 of 24 rounds	2017	Paper.
BLAKE2s	2¹²⁸	2.5 of 10 rounds	2009-05-26	Paper.
BLAKE2b	2²⁵⁶	2.5 of 12 rounds	2009-05-26	Paper.

Chosen prefix collision attack

Hash function	Security claim	Best attack	Publish date	Comment
MD5	2⁶⁴	2³⁹	2009-06-16	This attack takes hours on a regular PC.
SHA-1	2⁸⁰	2^63.4	2020-01-08	Paper by Gaëtan Leurent and Thomas Peyrin
SHA256	2¹²⁸
SHA512	2²⁵⁶
SHA-3	Up to 2⁵¹²
BLAKE2s	2¹²⁸
BLAKE2b	2²⁵⁶

Preimage resistance

Hash function	Security claim	Best attack	Publish date	Comment
MD5	2¹²⁸	2^123.4	2009-04-27	Paper.
SHA-1	2¹⁶⁰	45 of 80 rounds	2008-08-17	Paper.
SHA256	2²⁵⁶	43 of 64 rounds	2009-12-10	Paper.
SHA512	2⁵¹²	46 of 80 rounds	2008-11-25	Paper, updated version.
SHA-3	Up to 2⁵¹²
BLAKE2s	2²⁵⁶	2.5 of 10 rounds	2009-05-26	Paper.
BLAKE2b	2⁵¹²	2.5 of 12 rounds	2009-05-26	Paper.

Length extension

Vulnerable: MD5, SHA1, SHA256, SHA512
Not vulnerable: SHA384, SHA-3, BLAKE2
Less-common hash functions

Collision resistance

Hash function	Security claim	Best attack	Publish date	Comment
GOST	2¹²⁸	2¹⁰⁵	2008-08-18	Paper.
HAVAL-128	2⁶⁴	2⁷	2004-08-17	Collisions originally reported in 2004, followed up by cryptanalysis paper in 2005.
MD2	2⁶⁴		2009	Slightly less computationally expensive than a birthday attack, but for practical purposes, memory requirements make it more expensive.
MD4	2⁶⁴	3 operations	2007-03-22	Finding collisions almost as fast as verifying them.
PANAMA	2¹²⁸	2⁶	2007-04-04	Paper, improvement of an earlier theoretical attack from 2001.
RIPEMD	2⁶⁴	2¹⁸ time	2004-08-17	Collisions originally reported in 2004, followed up by cryptanalysis paper in 2005.
RadioGatún	Up to 2⁶⁰⁸	2⁷⁰⁴	2008-12-04	For a word size w between 1-64 bits, the hash provides a security claim of 2^9.5w. The attack can find a collision in 2^11w time.
RIPEMD-160	2⁸⁰	48 of 80 rounds	2006	Paper.
SHA-0	2⁸⁰	2^33.6 time	2008-02-11	Two-block collisions using boomerang attack. Attack takes estimated 1 hour on an average PC.
Streebog	2²⁵⁶	9.5 rounds of 12	2013-09-10	Rebound attack.
Whirlpool	2²⁵⁶	4.5 of 10 rounds	2009-02-24	Rebound attack.

Preimage resistance

Hash function	Security claim	Best attack	Publish date	Comment
GOST	2²⁵⁶	2¹⁹²	2008-08-18	Paper.
MD2	2¹²⁸	2⁷³ time, 2⁷³ memory	2008	Paper.
MD4	2¹²⁸	2¹⁰² time, 2³³ memory	2008-02-10	Paper.
RIPEMD	2¹²⁸	35 of 48 rounds	2011	Paper.
RIPEMD-128	2¹²⁸	35 of 64 rounds	2011	Paper.
RIPEMD-160	2¹⁶⁰	31 of 80 rounds	2011	Paper.
Streebog	2⁵¹²	2²⁶⁶ time, 2²⁵⁹ data	2014-08-29	The paper presents two second-preimage attacks with variable data requirements.
Tiger	2¹⁹²	2^188.8 time, 2⁸ memory	2010-12-06	Paper.

Attacks on hashed passwords

Hashes described here are designed for fast computation and have roughly similar speeds. Because most users typically choose short passwords formed in predictable ways, passwords can often be recovered from their hashed value if a fast hash is used. Searches on the order of 100 billion tests per second are possible with high-end graphics processors.
Special hashes called key derivation functions have been created to slow brute force searches. These include pbkdf2, bcrypt, scrypt, argon2, and balloon.

Hash function security summary

Table color key

Common hash functions

Collision resistance

Chosen prefix collision attack

Preimage resistance

Length extension

Less-common hash functions

Collision resistance

Preimage resistance

Attacks on hashed passwords