MD5 and SHA-256 both condense data into a fixed-length fingerprint, but they serve different purposes. MD5 is 128-bit and fast, but because collisions can be created artificially it has been retired for security use. SHA-256 is 256-bit and remains a secure standard with no practical attack known to date.
If you just need to check whether a file was accidentally corrupted or want a cache key to quickly spot duplicate data, MD5 or CRC32 is plenty. They compute fast and produce short results that are easy to work with.
The moment security is involved — digital signatures, certificates, password storage, token integrity — you must use SHA-256 or stronger. If an attacker can craft fake data that shares the same hash, the verification itself becomes meaningless.
In short, the basic rule is MD5 for quick integrity checks, SHA-256 when security matters. When you're unsure, choosing SHA-256 is the safer bet. AG HASH shows both values at once, so you can pick whichever suits the situation.