# Hashing ## Overview This page contains recommendations for choosing a hashing algorithm. ## General
* If you need to hash passwords see the the [Authentication: Password Storage](/application-security-handbook/web-application/authentication/password-storage.md) page. * For other data, use a hashing algorithm from the `SHA-2` or `SHA-3` family. * Do **not** use vulnerable hashing algorithms from the list below. You can find examples of collision attacks at .
Vulnerable hash algorithms * `MD4` * `MD5` * `SHA-0` * `SHA-1` * `HAVAL-128` * `PANAMA` * `RIPEMD`
## Hashing implementation
{% tabs %} {% tab title="Go" %} Use the implementation of hash algorithms from the [crypto](https://pkg.go.dev/crypto) package, such as [crypto/sha256](https://pkg.go.dev/crypto/sha256) or [crypto/sha512](https://pkg.go.dev/crypto/sha512). You can find the whole list at ```go package main import ( "crypto/sha256" "fmt" ) func main() { p := []byte("random string for hashing") hash := sha256.New() fmt.Printf("%x\n", hash.Sum(p)) } ``` {% endtab %} {% tab title="Java" %} Use the [java.security.MessageDigest](https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/security/MessageDigest.html) class for hashing implementation. **MessageDigest is not thread-safe**. Use a new instance for every thread. ```java import java.security.MessageDigest; import java.nio.charset.StandardCharsets; import java.security.NoSuchAlgorithmException; public static String sha256Hash(String data) throws NoSuchAlgorithmException { MessageDigest digest = MessageDigest.getInstance("SHA-256"); byte[] encodedHash = digest.digest(data.getBytes(StandardCharsets.UTF_8)); return toHex(encodedHash) } public static String sha3256Hash(String data) throws NoSuchAlgorithmException { MessageDigest digest = MessageDigest.getInstance("SHA3-256"); byte[] encodedHash = digest.digest(data.getBytes(StandardCharsets.UTF_8)); return toHex(encodedHash) } private static String toHex(byte[] byteArray) { String hex = ""; for (byte i : byteArray) { hex += String.format("%02x", i); } return hex; } ``` {% endtab %} {% tab title="Node.js" %} Use the [crypto](https://nodejs.org/api/crypto.html) package for hashing implementation. The list of supported algorithms is dependent on the available algorithms supported by the version of OpenSSL on the platform. Use `openssl list -digest-algorithms` to display the available digest algorithms. ```javascript const { createHash } = await import('node:crypto'); async function sha256_digest(data) { const hash = createHash('sha256'); hash.update(data); return hash.digest('hex'); } ``` {% endtab %} {% tab title="Python" %} Use the [hashlib](https://docs.python.org/3/library/hashlib.html) package for hashing implementation. You can find the list of available algorithms [here](https://docs.python.org/3/library/hashlib.html#constructors). ```python import hashlib def sha256_digest(data: str) -> str: encoded_data = data.encode('utf-8') hash = hashlib.sha256(encoded_data) return hash.hexdigest() def sha3_256_digest(data: str) -> str: encoded_data = data.encode('utf-8') hash = hashlib.sha3_256(encoded_data) return hash.hexdigest() ``` {% endtab %} {% endtabs %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xn3va.gitbook.io/application-security-handbook/web-application/cryptography/hashing.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.