What Is a Hash & Checksum?

Acutis · plain-English network help · updated June 2026

What is a hash, in plain English?

A hash is a short digital fingerprint of a file or piece of text. You feed any amount of data into a hashing function, and it spits out a fixed-length string of characters that uniquely represents that exact input. A "checksum" is simply a hash used for one specific purpose: checking that data hasn't changed. The two words are often used interchangeably.

For example, the SHA-256 hash of the word hello is always 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824. It doesn't matter what computer you run it on or when — the same input always produces that same fingerprint. Change even one character and the result is completely different.

The same input always gives the same hash

This is the property that makes hashes useful. Hashing is deterministic: identical input, identical output, every time, everywhere. Two key behaviors follow from that:

• It's a one-way function. You can easily turn a file into its hash, but you can't turn a hash back into the file. The fingerprint reveals nothing about the original contents — it just identifies them.
• Tiny changes cause huge changes. Flipping a single bit anywhere in a 4-gigabyte file produces a totally different hash. There's no "close" — fingerprints either match exactly or they don't. This is sometimes called the avalanche effect.

Because the output is a fixed length no matter how big the input is, you can compare two enormous files by comparing two short strings. That's the whole trick.

MD5 vs SHA-1 vs SHA-256

These are the three hashing algorithms you'll run into most often. They all produce fingerprints, but they differ in length and in how secure they are.

• MD5 produces a 128-bit hash, written as 32 hexadecimal characters. It's old, fast, and still common for quick integrity checks — but it is broken for security. Researchers can deliberately craft two different files that share the same MD5 hash, a trick called a collision. That means MD5 can't prove a file wasn't swapped by an attacker.
• SHA-1 produces a 160-bit hash (40 hex characters). It's stronger than MD5 but has also been broken — a practical collision was demonstrated in 2017. Browsers and software vendors have phased it out for anything security-sensitive.
• SHA-256 is part of the SHA-2 family and produces a 256-bit hash (64 hex characters). It has no known practical collisions and is the modern standard for verifying downloads, signing software, and securing data. When you have a choice, use SHA-256.

The rule of thumb: MD5 and SHA-1 are fine for catching accidental corruption, but you should never trust them to prove a file wasn't deliberately tampered with. For that, reach for SHA-256.

The classic use: verifying a download

Here's where hashes earn their keep. When you download software — especially something large like an operating system image — the publisher usually posts the file's official checksum next to the download link. After your download finishes, you compute the hash of the file you actually received and compare it to the published value.

• If the two hashes match, your copy is bit-for-bit identical to what the publisher released. Nothing was corrupted in transit and nothing was altered.
• If they don't match, something is wrong. The download may have been interrupted or corrupted, or — in the worst case — the file may have been swapped for a tampered version. Either way, don't run it.

This catches both honest mistakes and malicious ones. A flaky connection that drops a few bytes will fail the check just as surely as a hacked mirror serving a trojaned installer. And because hashing a file reveals nothing about its contents, you can verify a download entirely on your own machine — no need to send anything anywhere.

One caveat worth knowing

A matching checksum only proves the file matches the published value. If an attacker can change both the file and the checksum on the same page, the check passes on a bad file. That's why publishers often post checksums over HTTPS, or pair them with a digital signature. For everyday use, though, comparing a SHA-256 checksum is a fast, powerful way to confirm a download is exactly what it should be.