Hash Generator

Generate MD5, SHA-1, SHA-256, and SHA-512 hashes from text.

Input Text

0 characters

Case

Lowercase Uppercase

Results

Hashes will appear here

What a hash is

A cryptographic hash is a function that turns any input — a one-letter string, a 4 GB ISO image, this paragraph — into a fixed-length fingerprint. Same input always produces the same output; even a one-bit change to the input scrambles the output completely. Crucially, you can't run the function backwards: given the fingerprint, there's no efficient way to recover the original. This one-way property is what makes hashes useful for verifying integrity and storing passwords.

This tool generates four common hashes — MD5, SHA-1, SHA-256, and SHA-512 — in your browser using the Web Crypto API (and a small implementation for MD5, which the API doesn't expose). Nothing leaves your machine.

Which one to use

SHA-256 and SHA-512

The default choice for almost everything new. Both are secure as of today against any practical attack. SHA-256 is more common because most internet protocols standardized on it — TLS certificates, Bitcoin, Git's modern object hashing. SHA-512 is a touch faster on 64-bit hardware and produces a longer digest (128 hex characters instead of 64), which gives a larger margin against collision attacks decades down the road. Either is fine for integrity checks, file deduplication, and content addressing.

SHA-1

Considered cryptographically broken since 2017, when researchers demonstrated practical collisions. It's still in widespread use for legacy reasons — Git uses it for object IDs, plenty of older systems use it for HMAC — but you should not be picking it for anything new. If you're verifying a download against a published SHA-1, that's fine; if you're choosing what to publish, choose SHA-256.

MD5

Completely broken for security purposes — collisions can be generated in seconds on a laptop. It's useful only as a fast non-cryptographic checksum: detecting accidental file corruption, deduplicating cached assets, generating cache keys. Never use it for passwords, signatures, or anything an adversary might try to forge.

What you should not use this for

Storing passwords. Plain SHA-256 of a password is fast — an attacker with a stolen database can try billions of guesses per second on a single GPU. Real password hashing uses a slow, memory-hard function with a per-user salt: bcrypt, scrypt, or Argon2. If you're building auth from scratch in 2026, use Argon2id. If you're stuck with an existing system, bcrypt is acceptable.

Useful properties

Same input, same output. Hashing the string hello always gives the same SHA-256 (2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824). Different across runs would mean something is broken.
Fixed length. A SHA-256 hash is always 64 hex characters, whether the input is one byte or one terabyte.
Avalanche. Hashing hello vs. Hello produces completely unrelated outputs. There's no notion of "close" inputs producing "close" hashes.

Encoding

This tool hashes the UTF-8 bytes of whatever text you paste. If you're trying to match a hash produced from a binary file or a different encoding (UTF-16, Windows-1252), the output will not match. For file hashing, command-line tools like sha256sum or shasum -a 256 are usually the right answer.