Hash Generator — MD5, SHA-1, SHA-256, SHA-512
Compute cryptographic hashes of any text. Live updates as you type. Uses the browser's native WebCrypto API (SHA family) plus an MD5 implementation. Nothing is uploaded.
What is a hash?
A cryptographic hash function takes any input — a few characters or a multi-gigabyte file — and produces a fixed-size output (the "hash" or "digest") that uniquely fingerprints the input. The function is one-way: given the hash, there's no practical way to recover the original input. Hashes are everywhere in modern computing: file integrity checks, password storage, digital signatures, blockchain transactions, deduplication, change detection.
This tool computes five common hashes of any input text: MD5 (128-bit), SHA-1 (160-bit), SHA-256 (256-bit), SHA-384 (384-bit), and SHA-512 (512-bit). The SHA family is computed using the browser's WebCrypto API; MD5 is implemented in JavaScript because it's no longer included in WebCrypto for security reasons.
Which hash should you use?
- MD5 — 128 bits. Fast but cryptographically broken since 2004. Use only for non-security purposes: file deduplication, change detection, ETags, content-addressable storage. Never for passwords or security signatures.
- SHA-1 — 160 bits. Also broken (Google demonstrated a collision in 2017). Use only when forced by legacy systems (e.g. Git, older code-signing). Deprecated for security.
- SHA-256 — 256 bits. The current workhorse. Use for file integrity, digital signatures, blockchain (Bitcoin uses it), TLS certificates, code signing. Considered secure for the foreseeable future.
- SHA-384 — 384 bits. Truncated SHA-512. Used by high-security TLS configurations and some government standards.
- SHA-512 — 512 bits. Stronger than SHA-256, slightly faster on 64-bit hardware. Used where extra margin against future attacks matters.
What hashes are used for
- File integrity — verify a downloaded file matches the publisher's hash to detect corruption or tampering.
- Password storage — but only via dedicated password-hashing algorithms (bcrypt, scrypt, Argon2), not plain SHA. Plain SHA is too fast — attackers can brute-force common passwords.
- Digital signatures — sign a hash, not the file, because the hash is small and unique.
- Blockchain — Bitcoin uses SHA-256 twice for block hashing.
- Content-addressable storage — Git, IPFS, Docker use SHA hashes as content IDs.
- Deduplication — backup systems hash files to identify duplicates.
- ETags — HTTP caching tags often use a content hash.
- Anonymisation — hash personal identifiers when you only need to compare equality (with caveats; not full anonymisation).
DON'T use plain hashes for passwords
SHA-256 is fast — billions of hashes per second on a modern GPU. That speed means an attacker with a stolen password database can try every common password in minutes. Use a slow, salt-aware password hashing function: bcrypt (most common), scrypt, or Argon2 (the modern best choice). These are intentionally slow and salted, raising the cost of brute force by many orders of magnitude.
Hash properties
- Deterministic — same input always produces same output.
- Fixed-length output — regardless of input size.
- Avalanche effect — a tiny change in input produces a completely different hash.
- Preimage-resistant — given a hash, no practical way to find the input.
- Collision-resistant — no practical way to find two inputs with the same hash (broken for MD5 and SHA-1).
Tips and best practice
- For new code, default to SHA-256.
- For passwords, use bcrypt / Argon2, never plain SHA.
- Hashes are hex-encoded by convention. Some systems use Base64 — be aware of the difference.
- SHA-256 of empty string is
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855— memorise it if you do this often. - Hash collisions in MD5 are real but rare for normal data. Don't use it where adversaries can craft inputs.
FAQs
Is the input ever sent to a server?
No. Hashing runs entirely in your browser using the native WebCrypto API (SHA family) and JS code for MD5.
Why is MD5 included if it's insecure?
MD5 is still widely used for non-security tasks (ETags, file IDs, deduplication). The tool labels it clearly.
Can I hash a file?
Not in this tool — text only. File hashing is on the roadmap.
Are SHA hashes case-sensitive?
Hash inputs are case-sensitive — "Hello" and "hello" produce different hashes. Output hex is conventionally lowercase.