Hash Generator
Generate MD5, SHA-1, SHA-256 and SHA-512 hashes from any text. Runs in your browser.
About hashes
- MD5 and SHA-1 are cryptographically broken, fine for file checksums, but never use them for passwords or signatures.
- SHA-256 and SHA-512 are still considered secure for general hashing needs.
- For password storage, use bcrypt, argon2 or scrypt, not plain SHA.
- All hashing happens locally via the Web Crypto API and a small MD5 library; your text never leaves the browser.
Frequently asked questions
Which hash should I use?
For integrity or fingerprints use SHA-256 or stronger. MD5 and SHA-1 remain useful for non-security tasks like cache busting but are broken for collision resistance and must not be used for passwords or signatures.
Are my files uploaded to compute the hash?
No. Hashing runs entirely with the Web Crypto API in your browser. The bytes never leave your device.
Can I hash very large files?
Files up to several gigabytes work, though hashing is naturally slower for big inputs because the entire content must be read. Chunked streaming is used to avoid loading the file in memory all at once.
Why does the same input always give the same hash?
That is by definition. A hash function is deterministic: identical input always produces identical output, which is what makes hashes useful for fingerprints.
One-way functions: what hashes guarantee and what they do not
A cryptographic hash maps any input to a fixed-size digest: SHA-256 always emits 256 bits (64 hex characters) whether you feed it one byte or a 4 GB file. The guarantees that matter are determinism (same input, same digest, forever), the avalanche effect (changing one bit flips about half the output bits), and one-wayness (no practical route from digest back to input). A hash is not encryption... nothing is locked, there is no key, and there is nothing to decrypt. It is a fingerprint.
Choosing an algorithm in 2026
- MD5 (128-bit) is cryptographically broken: collisions can be manufactured at will. Acceptable only for non-adversarial checksums like detecting accidental file corruption.
- SHA-1 is also broken for collision resistance (demonstrated publicly in 2017) and is being removed from certificates and Git's internals.
- SHA-256 is the current general-purpose standard: file integrity, signatures, blockchain, API request signing.
- For passwords, none of the above. Fast hashes are exactly wrong for passwords because attackers can try billions per second. Password storage needs deliberately slow, salted algorithms: bcrypt, scrypt or Argon2.
Practical verification workflow
When a download page publishes a SHA-256 checksum, hash the file you received and compare strings. A single differing character means a different file, whether through corruption or tampering. Compare the full digest, not just the first few characters: truncated comparison is how lookalike attacks slip through.
Hashes in everyday developer work
Beyond security, hashes serve as universal fingerprints. Git identifies every commit by hash, which is why two repositories can verify they hold identical history without comparing files. Build tools fingerprint assets (app.8f3a2c.js) so browsers cache aggressively yet update instantly when content changes. Deduplication systems detect identical files by digest regardless of filename. And ETags let a server say "you already have this" by comparing hashes instead of bytes. In all four, the property doing the work is the same: equal content, equal hash; any change, a completely different one.
Advertisement