Hash Generator
|
—————Compute MD5, SHA-1, SHA-256, SHA-384, and SHA-512 hashes for any text. All five algorithms update simultaneously as you type. Hashing runs in the browser using the Web Crypto API.
What hashes are for
A hash function maps input of any length to a fixed-length output. Two properties make hashes useful: determinism (same input always produces the same hash) and the avalanche effect (a single character change produces a completely different hash).
Common uses: verifying that a file or payload was not corrupted in transit, generating cache keys or ETag values for HTTP responses, fingerprinting content for deduplication, and creating deterministic IDs from input data.
Algorithm security
MD5 — Cryptographically broken. Collisions are computationally feasible. Use only for non-security checksums: cache keys, content fingerprints where an adversary is not involved.
SHA-1 — Weakened. Deprecated for TLS certificates and digital signatures since 2017. Acceptable for non-security integrity checks where you trust both ends.
SHA-256 — Current standard for most security applications. Part of SHA-2. Use this when security matters.
SHA-512 — Also SHA-2, 512-bit output. No practical security advantage over SHA-256 for most applications. May be faster on 64-bit CPUs due to wider arithmetic.
Comparing hashes to verify content
To verify that two inputs are identical without comparing them directly, hash both and compare the digests. If the SHA-256 hashes match, the inputs are identical with extremely high confidence.
This is how download integrity checking works: the provider publishes a SHA-256 hash; you hash the downloaded file and compare. A mismatch means the file was modified in transit or is a different version.
This tool hashes text. To hash a binary file, use sha256sum filename on Linux/macOS or CertUtil -hashfile filename SHA256 on Windows.
Practical uses in development
Cache keys — hash the parameters of a cache lookup (URL, query string, user ID) to produce a compact, fixed-length key. SHA-256 is common; MD5 is acceptable when the cache key is not security-sensitive.
HTTP ETags — a hash of a resource's content makes a reliable ETag. When the content changes, the hash changes, invalidating browser and CDN caches automatically.
Webhook payload verification — services like Stripe, GitHub, and Shopify sign webhook payloads with HMAC-SHA256. The receiver computes the same HMAC using the shared secret and compares it to the signature header. This tool computes plain hashes, not HMAC, but helps you verify the hash function and encoding before writing the code.
Content deduplication — hash file or record content before inserting to detect duplicates. If a hash already exists in the database, the content is a duplicate regardless of filename or metadata.
Build artifact fingerprinting — CI pipelines hash build outputs to detect when a rebuild is needed and to verify artifact integrity before deployment.
SHA-256("GET /api/products?page=2&category=electronics") → fixed 64-char hexETag: "a3f5c8d2e9b1..." (hash of response body)INSERT ... WHERE NOT EXISTS (SELECT 1 FROM files WHERE sha256 = $hash)Generating hashes in code and on the command line
Node.js provides the crypto module for synchronous hashing. For text inputs, specify the encoding when calling digest(). The Web Crypto API (used by this tool) is available in browsers and modern Deno/Node environments.
Python's hashlib module supports all algorithms shown here. Always encode the input string to bytes before hashing — hashlib does not accept bare strings.
On the command line, sha256sum (Linux/macOS) and CertUtil (Windows) hash files directly without reading them into memory, which is important for large files.
const { createHash } = require('crypto');
createHash('sha256').update('hello').digest('hex');createHash('sha512').update('hello').digest('hex');import hashlib
hashlib.sha256(b'hello').hexdigest()hashlib.md5(b'hello').hexdigest()sha256sum filename.zipCertUtil -hashfile filename.zip SHA256Frequently Asked Questions
- Can I reverse a hash to get the original input?
- No. Hash functions are one-way by design. You cannot recover the original input from the output. This irreversibility is a fundamental property.
- Why do MD5 and SHA-1 still appear in the output?
- They remain in use for non-security purposes: checksums, cache keys, and legacy systems. This tool shows them so you can reproduce expected values when debugging or testing systems that use them.
- What if two different inputs produce the same hash (collision)?
- For SHA-256 and SHA-512, no practical collision has been demonstrated. For MD5 and SHA-1, collisions exist and can be constructed by an adversary. For non-adversarial checksums, this is not a concern.
- Does the hash change if I add a space or change case?
- Yes. Hashes are extremely sensitive to input — a single character difference produces a completely different digest. "hello" and "Hello" produce entirely different SHA-256 hashes.
- What is the output format — hex or something else?
- This tool outputs lowercase hexadecimal (base-16). Each byte of the hash digest is represented as two hex characters. SHA-256 produces 32 bytes → 64 hex characters. SHA-512 produces 64 bytes → 128 hex characters. MD5 produces 16 bytes → 32 hex characters. Some systems use Base64 instead — convert the hex string to bytes and then Base64-encode if needed.
- Can I use SHA-256 to store passwords?
- No. Plain SHA-256 (and MD5, SHA-1, SHA-512) are too fast — a GPU can test billions of SHA-256 guesses per second against a leaked hash database. Use bcrypt, Argon2id, or scrypt instead. These algorithms are deliberately slow and memory-intensive, making brute-force attacks impractical even with modern hardware.